Found 6880 bookmarks
Newest
480,000 Catholic Health Patients Impacted by Serviceaide Data Leak
480,000 Catholic Health Patients Impacted by Serviceaide Data Leak
Enterprise management solutions provider Serviceaide has informed the Department of Health and Human Services (HHS) that a data leak impacts the personal and medical information of nearly half a million Catholic Health patients. California-based Serviceaide, whose solutions are used by organizations worldwide, discovered in November 2024 that an Elasticsearch database maintained for one of its customers, Buffalo, New York-based non-profit healthcare system Catholic Health, had been inadvertently made publicly available. An investigation showed that the database had been exposed between September 19 and November 5, 2024. While Serviceaide did not find any evidence that the information was exfiltrated, the company said it cannot definitively rule it out. According to a data breach notice posted on the Serviceaide website, the exposed information varies for each individual, but it can include name, SSN, date of birth, medical record number, patient account number, medical information, health insurance information, prescription and treatment information, clinical information, healthcare provider details, email or username, and password. Impacted individuals are being notified and offered 12 months of free credit monitoring and identity theft protection services. Serviceaide informed the HHS, according to the government organization’s incident tracker, that just over 483,000 individuals are impacted by the data breach. It’s not uncommon for healthcare data breaches to impact hundreds of thousands of individuals, and some incidents affect millions and even tens of millions.
#securityweek#EN#2025#Data-Breach#Serviceaide#HHS#US#Catholic-Health
·securityweek.com·
480,000 Catholic Health Patients Impacted by Serviceaide Data Leak
Arla Foods confirms cyberattack disrupts production, causes delays
Arla Foods confirms cyberattack disrupts production, causes delays
Arla Foods has confirmed to BleepingComputer that it was targeted by a cyberattack that has disrupted its production operations. The Danish food giant clarified that the attack only affected its production unit in Upahl, Germany, though it expects this will result in product delivery delays or even cancellations. "We can confirm that we have identified suspicious activity at our dairy site in Upahl that impacted the local IT network," stated an Arla spokesperson. "Due to the safety measures initiated as a result of the incident, production was temporarily affected." Arla Foods is an international dairy producer and a farmer-owned cooperative with 7,600 members. It employs 23,000 people in 39 countries. The firm has an annual revenue of €13.8 billion ($15.5 billion), and its products, including the brands Arla, Lurpak, Puck, Castello, and Starbucks, are sold in 140 countries worldwide. The company told BleepingComputer that it is currently working to resume operations at the impacted facility, which should bring results before the end of the week. "Since then, we've been working diligently to restore full operations. We expect to return to normal operations at the site in the next few days. Production at other Arla sites is not affected." Considering that the first reports about a disruption at Arla's production operations surfaced on Friday, it is bound to cause shortages in some cases. "We have informed our affected customers about possible delivery delays and cancellations," explained Arla's spokesperson. BleepingComputer has asked the firm if the attack involved data theft or encryption, both staples of a ransomware attack, but Arla declined to share any additional information at this time. Meanwhile, there have been no announcements about Arla on ransomware extortion portals, so the type of attack and the perpetrators remain unknown.
#bleepingcomputer#EN#2025#Arla#Business-Disruption#Cyberattack#Security#InfoSec#Computer-Security
·bleepingcomputer.com·
Arla Foods confirms cyberattack disrupts production, causes delays
A Letter From Our CEO
A Letter From Our CEO
Dear Friends, Neighbors, and Valued Cellcom/Nsight Customers, Over the past five days, many of you have been impacted by a service disruption — and I want to begin by saying something simple, and deeply meant: I’m here. While I’ve been closely involved from the very beginning, this is the first time I’m writing to you directly. That wasn’t because I didn’t want to — it was because I truly believed we’d be past this quickly. I stayed focused on the fix, confident that we’d be able to restore service fast. We’ve always believed in being present, open, and accountable to the people we serve. That’s what this letter is about. We experienced a cyber incident. While this is unfortunate, it’s not something we were unprepared for. We have protocols and plans in place for exactly this kind of situation. From the start, we’ve followed those plans — including engaging outside cybersecurity experts, notifying the FBI and Wisconsin officials, and working around the clock to bring systems safely back online. The incident was concentrated on an area of our network separate from where we store sensitive information related to you, our Cellcom/Nsight family. We have no evidence that personal information related to you, your name, your addresses, your financial information, is impacted by this event. Thanks to an incredible amount of hard work and tenacity, we achieved a major milestone last night. We are building on that success and expect to have the rest of service restored this week. Every part of this recovery is being handled with care and precision — we will not rush anything that compromises safety, security or trust. For 115 years, as a company that began as a local telephone provider, we've understood that connection is everything. Generations of my family have had the privilege of serving generations of yours. We've grown and changed with the times, but our purpose has always remained the same: helping you stay connected to what matters most. We know this disruption has caused frustration and, for some, real hardship — and for that, I am truly sorry. In the midst of it all, I’ve witnessed what makes this company special. Across the organization, people put mission ahead of role, put pride aside, and put the community first. We saw teams find creative solutions, take personal initiative, and step outside the bounds of job descriptions to make things right. That spirit — of care, urgency and accountability — has defined our response and will continue to shape our path forward. To our employees — thank you. Your heart and grit during these trying days make me proud beyond words. To our customers — thank you. Your patience, understanding and kindness mean the world to us. We’ve felt your support every step of the way, and we don’t take it for granted. We know that gratitude alone isn’t enough — we’re taking responsibility. We’re covering the time you were without service, and then some. Please know that we hear you, we appreciate you, and you have the very best team in the world on the case. I know we will be a better and stronger Cellcom/Nsight for this experience. Warmly, Brighid Riordan in cursive Brighid Riordan
#cellcom#EN#incident#wireless#Wisconsin#US#cyberattack
·cellcom.com·
A Letter From Our CEO
Microsoft’s AI security chief accidentally reveals Walmart’s AI plans after protest
Microsoft’s AI security chief accidentally reveals Walmart’s AI plans after protest
Microsoft’s head of security for AI, Neta Haiby, accidentally revealed confidential messages about Walmart’s use of Microsoft’s AI tools during a Build talk that was disrupted by protesters. The Build livestream was muted and the camera pointed down, but the session resumed moments later after the protesters were escorted out. In the aftermath, Haiby then accidentally switched to Microsoft Teams while sharing her screen, revealing confidential internal messages about Walmart’s upcoming use of Microsoft’s Entra and AI gateway services. Haiby was co-hosting a Build session on best security practices for AI, alongside Sarah Bird, Microsoft’s head of responsible AI, when two former Microsoft employees disrupted the talk to protest against the company’s cloud contracts with the Israeli government. “Sarah, you are whitewashing the crimes of Microsoft in Palestine, how dare you talk about responsible AI when Microsoft is fueling the genocide in Palestine,” shouted Hossam Nasr, an organizer with the protest group No Azure for Apartheid, and a former Microsoft employee who was fired for holding a vigil outside Microsoft’s headquarters for Palestinians killed in Gaza. Walmart is one of Microsoft’s biggest corporate customers, and already uses the company’s Azure OpenAI service for some of its AI work. “Walmart is ready to rock and roll with Entra Web and AI Gateway,” says one of Microsoft’s cloud solution architects in the Teams messages. The chat session also quoted a Walmart AI engineer, saying: “Microsoft is WAY ahead of Google with AI security. We are excited to go down this path with you.”
#theverge#EN#2025#Microsoft#accidentally#Walmart#Build#Haiby
·theverge.com·
Microsoft’s AI security chief accidentally reveals Walmart’s AI plans after protest
BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory
BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory
  • Akamai researcher Yuval Gordon discovered a privilege escalation vulnerability in Windows Server 2025 that allows attackers to compromise any user in Active Directory (AD). The attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement. This issue likely affects most organizations that rely on AD. In 91% of the environments we examined, we found users outside the domain admins group that had the required permissions to perform this attack. * Although Microsoft states they plan to fix this issue in the future, a patch is not currently available. Therefore, organizations need to take other proactive measures to reduce their exposure to this attack. Microsoft has reviewed our findings and approved the publication of this information. In this blog post, we provide full details of the attack, as well as detection and mitigation strategies.
#akamai#EN#2025#BadSuccessor#dMSA#Windows#Server#AD#Vulnerability
·akamai.com·
BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory
Swiss arrest in European dark net raid - SWI swissinfo.ch
Swiss arrest in European dark net raid - SWI swissinfo.ch
A person has been arrested in Switzerland as part of a ccordinated raid on 270 dark web sites in ten countries. The international raid, dubbed “RapTor”, dismantled networks trafficking drugs, weapons and counterfeit goods. The suspects were identified during the dismantling of the dark web markets Nemesis, Tor2Door, Bohemia and Kingdom Markets. Many of them made thousands of sales on illegal markets using encryption tools and cryptocurrencies to cover their tracks. Officers seized more than 180 firearms, over two tonnes of drugs and €184 million in cash and cryptocurrencies during the operation, which included arrests in ten countries, including Germany, France, Austria, Britain and the United States.
#swissinfo#EN#CH#Switzerland#arrested#RapTor#darkweb
·swissinfo.ch·
Swiss arrest in European dark net raid - SWI swissinfo.ch
TikTok Videos Promise Pirated Apps, Deliver Vidar and StealC Infostealers Instead
TikTok Videos Promise Pirated Apps, Deliver Vidar and StealC Infostealers Instead
Trend™ Research uncovered a campaign on TikTok that uses videos to lure victims into downloading information stealers, a tactic that can be automated using AI tools. Trend Research uncovered a new social engineering campaign using TikTok to deliver the Vidar and StealC information stealers. This attack uses videos (possibly AI-generated) to instruct users to execute PowerShell commands, which are disguised as software activation steps. TikTok’s algorithmic reach increases the likelihood of widespread exposure, with one video reaching more than half a million views. Businesses can be affected by data exfiltration, credential theft, and potential compromise of sensitive systems as a result of this threat. Reinforcing security awareness, especially against AI-generated content, is crucial. Monitoring for unusual command execution involving PowerShell or other system utilities also helps identify malicious activity early. Trend Vision One™ detects and blocks the IOCs discussed in this blog. rend Vision One customers can also access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on this campaign Trend Research has uncovered a novel social engineering campaign using TikTok’s vast user base to distribute information-stealing malware, specifically Vidar and StealC. Unlike the prevalent Fake CAPTCHA campaign — which relies on fake CAPTCHA pages and clipboard hijacking to trick users into running malicious scripts — this new campaign pivots to exploiting the popularity and viral nature of TikTok. Threat actors are now using TikTok videos that are potentially generated using AI-powered tools to socially engineer users into executing PowerShell commands under the guise of guiding them to activate legitimate software or unlock premium features. This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware. This report details the observed tactics, techniques, and procedures (TTPs), indicators of compromise (IoCs), and the potential impact of this trend.
#trendmicro#EN#2025#TikTok#Videos#Promise#Pirated#App#StealC#Infostealers
·trendmicro.com·
TikTok Videos Promise Pirated Apps, Deliver Vidar and StealC Infostealers Instead
Hidden Threats of Dual-Function Malware Found in Chrome Extensions
Hidden Threats of Dual-Function Malware Found in Chrome Extensions
An unknown actor has been continuously creating malicious Chrome Browser extensions since approximately February, 2024. The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, Crypto, banking and more to direct users to install corresponding malicious extensions on Google’s Chrome Web Store (CWS). The extensions typically have a dual functionality, in which they generally appear to function as intended, but also connect to malicious servers to send user data, receive commands, and execute arbitrary code.
#domaintools#EN#2025#malicious#Chrome#Browser#Extensions#CWS
·dti.domaintools.com·
Hidden Threats of Dual-Function Malware Found in Chrome Extensions
Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE
Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE
Critical vulnerabilities in Versa Concerto that are still unpatched could allow remote attackers to bypass authentication and execute arbitrary code on affected systems. Three security issues, two of them critical, were publicly disclosed by researchers at the vulnerability management firm ProjectDiscovery after reporting them to the vendor and receiving no confirmation of the bugs being addressed. Versa Concerto is the centralized management and orchestration platform for Versa Networks' SD-WAN and SASE (Secure Access Service Edge) solutions. Three security issues, two of them critical, were publicly disclosed by researchers at the vulnerability management firm ProjectDiscovery after reporting them to the vendor and receiving no confirmation of the bugs being addressed. Versa Concerto is the centralized management and orchestration platform for Versa Networks' SD-WAN and SASE (Secure Access Service Edge) solutions.
#bleepingcomputer#EN#2025#Authentication-Bypass#RCE#Remote-Code-Execution#Versa-Concerto#Vulnerability#CVE-2025-34027#CVE-2025-34026#CVE-2025-34025
·bleepingcomputer.com·
Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE
Unit 42 Develops Agentic AI Attack Framework
Unit 42 Develops Agentic AI Attack Framework
Threat actors are advancing AI strategies and outpacing traditional security. CXOs must critically examine AI weaponization across the attack chain. The integration of AI into adversarial operations is fundamentally reshaping the speed, scale and sophistication of attacks. As AI defense capabilities evolve, so do the AI strategies and tools leveraged by threat actors, creating a rapidly shifting threat landscape that outpaces traditional detection and response methods. This accelerating evolution necessitates a critical examination for CXOs into how threat actors will strategically weaponize AI across each phase of the attack chain. One of the most alarming shifts we have seen, following the introduction of AI technologies, is the dramatic drop in mean time to exfiltrate (MTTE) data, following initial access. In 2021, the average MTTE stood at nine days. According to our Unit 42 2025 Global Incident Response Report, by 2024 MTTE dropped to two days. In one in five cases, the time from compromise to exfiltration was less than 1 hour. In our testing, Unit 42 was able to simulate a ransomware attack (from initial compromise to data exfiltration) in just 25 minutes using AI at every stage of the attack chain. That’s a 100x increase in speed, powered entirely by AI. Recent threat activity observed by Unit 42 has highlighted how adversaries are leveraging AI in attacks: Deepfake-enabled social engineering has been observed in campaigns from groups like Muddled Libra (also known as Scattered Spider), who have used AI-generated audio and video to impersonate employees during help desk scams. North Korean IT workers are using real-time deepfake technology to infiltrate organizations through remote work positions, which poses significant security, legal and compliance risks. Attackers are leveraging generative AI to conduct ransomware negotiations, breaking down language barriers and more effectively negotiating higher ransom payments. AI-powered productivity assistants are being used to identify sensitive credentials in victim environments.
#paloaltonetworks#EN#2025#Agentic-AI#AI#attack-chain#Attack-Simulations
·paloaltonetworks.com·
Unit 42 Develops Agentic AI Attack Framework
How Adversary Telegram Bots Help to Reveal Threats: Case Study  - ANY.RUN's Cybersecurity Blog
How Adversary Telegram Bots Help to Reveal Threats: Case Study  - ANY.RUN's Cybersecurity Blog
Discover how to intercept data stolen by cybercriminals via Telegram bots and learn to use it to clarify related threat landscape. While analyzing malware samples uploaded to ANY.RUN’s Interactive Sandbox, one particular case marked as “phishing” and “Telegram” drew the attention of our security analysts. Although this analysis session wasn’t attributed to any known malware family or threat actor group, the analysis revealed that Telegram bots were being used for data exfiltration. This led us to apply a message interception technique for Telegram bots, previously described on the ANY.RUN blog. The investigation resulted in a clear and practical case study demonstrating how intercepting Telegram bot communications can aid in profiling the threat actor behind a relatively obscure phishing campaign. Key outcomes of this analysis include: Examination and technical analysis of a lesser known phishing campaign Demonstration of Telegram API-based data interception techniques Collection of threat intelligence (TI) indicators to help identify the actor Recommendations for detecting this type of threat
#any.run#EN#2025#Telegram#analysis#malware#indicators#bots
·any.run·
How Adversary Telegram Bots Help to Reveal Threats: Case Study  - ANY.RUN's Cybersecurity Blog
KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS –
KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS –
KrebsOnSecurity last week was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second (a terabit is one trillion bits of data). The brief attack appears to have been… For reference, the 6.3 Tbps attack last week was ten times the size of the assault launched against this site in 2016 by the Mirai IoT botnet, which held KrebsOnSecurity offline for nearly four days. The 2016 assault was so large that Akamai – which was providing pro-bono DDoS protection for KrebsOnSecurity at the time — asked me to leave their service because the attack was causing problems for their paying customers. Since the Mirai attack, KrebsOnSecurity.com has been behind the protection of Project Shield, a free DDoS defense service that Google provides to websites offering news, human rights, and election-related content. Google Security Engineer Damian Menscher told KrebsOnSecurity the May 12 attack was the largest Google has ever handled. In terms of sheer size, it is second only to a very similar attack that Cloudflare mitigated and wrote about in April. After comparing notes with Cloudflare, Menscher said the botnet that launched both attacks bears the fingerprints of Aisuru, a digital siege machine that first surfaced less than a year ago. Menscher said the attack on KrebsOnSecurity lasted less than a minute, hurling large UDP data packets at random ports at a rate of approximately 585 million data packets per second. “It was the type of attack normally designed to overwhelm network links,” Menscher said, referring to the throughput connections between and among various Internet service providers (ISPs). “For most companies, this size of attack would kill them.”
#krebsonsecurity#EN#2025#Hit#DDoS#Mirai#Cloudflare#Aisuru#botnet
·krebsonsecurity.com·
KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS –
Legal Aid hack: Names, financial details and criminal histories compromised in cyberattack, Ministry of Justice says
Legal Aid hack: Names, financial details and criminal histories compromised in cyberattack, Ministry of Justice says
The cyberattackers claimed 2.1m pieces of customer data had been stolen from the Legal Aid Agency Millions of pieces of personal data, including criminal records, have been stolen from legal aid applicants in a massive cyberattack. The data, including national insurance numbers, employment status and financial data, was breached earlier this year, according to the Ministry of Justice (MoJ). The cyberattackers claimed they had stolen 2.1 million pieces of data from people who had applied for legal aid since 2010 but the MoJ only said a “significant amount of personal data” had been breached. An MoJ source put the breach down to the “neglect and mismanagement” of the previous government, saying vulnerabilities in the Legal Aid Agency (LAA) systems have been known for many years. “This data breach was made possible by the long years of neglect and mismanagement of the justice system under the last government,” the source said.
#independent.co.uk#UK#EN#2025#Data-Breach#Legal-Aid-Agency#LAA
·independent.co.uk·
Legal Aid hack: Names, financial details and criminal histories compromised in cyberattack, Ministry of Justice says
High Risk Warning for Windows Ecosystem: New Botnet Family HTTPBot is Expanding
High Risk Warning for Windows Ecosystem: New Botnet Family HTTPBot is Expanding
In April 2025, the Global Threat Hunting system of NSFOCUS Fuying Lab detected a significant increase in the activity of a new Botnet Trojan developed based on Go language. Given that many of its built-in DDoS attack methods are HTTP-based, Fuying Lab named it HTTPBot. The HTTPBot Botnet family first came into our monitoring scope in August 2024. Over the past few months, it has expanded aggressively, continuously leveraging infected devices to launch external attacks. Monitoring data indicates that its attack targets are primarily concentrated in the domestic gaming industry. Additionally, some technology companies and educational institutions have also been affected. The attack of this Botnet family is highly targeted, with attackers employing a periodical and multi-stage attack strategy to conduct continuous saturation attacks on selected targets. In terms of technical implementation, the HTTPBot Botnet Trojan uses an “attack ID” to precisely initiate and terminate the attack process. It also incorporates a variety of innovative DDoS attack methods. By employing highly simulated HTTP Flood attacks and dynamic feature obfuscation techniques, it circumvents traditional rule-based detection mechanisms, including but not limited to the following detection bypass mechanisms: Cookie replenishment mechanism Randomize the UA and header of http requests Real browser calling Randomize URL path Dynamic rate control Status code retry mechanism In recent years, most emerging Botnet families have primarily focused on developing communication methods and network control. This includes creating specialized communication tools, separating vulnerabilities from Trojans to protect key information, and enhancing communication anonymity through techniques like DGA (Domain Generation Algorithm), DOH (DNS over HTTPS), and OpenNIC. These Botnets typically emphasize traffic-based attacks aimed at bandwidth consumption. However, HTTPBot has taken a different approach by developing a range of HTTP-based attack methods to conduct transactional (business) DDoS attacks. Attackers can use these methods to precisely target high-value business interfaces and launch targeted saturation attacks on critical interfaces, such as game login and payment systems. This attack with “scalpel-like” precision poses a systemic threat to industries that rely on real-time interaction. HTTPBot marks a paradigm shift in DDoS attacks, moving from “indiscriminate traffic suppression” to “high-precision business strangulation.” This evolution forces defense systems to upgrade from simple “rule-based interception” to a more dynamic approach combining “behavioral analysis and resource elasticity.”
#nsfocusglobal#EN#2025#Botnet#HTTPBot#activity#Trojan#DDoS
·nsfocusglobal.com·
High Risk Warning for Windows Ecosystem: New Botnet Family HTTPBot is Expanding
Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
Key Takeaways The threat actor first gained entry by exploiting a known vulnerability (CVE-2023-22527) on an internet-facing Confluence server, allowing for remote code execution. Using this access, the threat actor executed a consistent sequence of commands (installing AnyDesk, adding admin users, and enabling RDP) multiple times, suggesting the use of automation scripts or a playbook. Tools like Mimikatz, ProcessHacker, and Impacket Secretsdump were used to harvest credentials. The intrusion culminated in the deployment of ELPACO-team ransomware, a Mimic variant, approximately 62 hours after the initial Confluence exploitation. * While ransomware was deployed and some event logs were deleted, no significant exfiltration of data was observed during the intrusion. This case was featured in our December 2024 DFIR Labs CTF and is available as a lab today here. It was originally published as a Threat Brief to customers in October 2024.
#thedfirreport#EN#2025#Confluence#ELPACO-team#Ransomware#CVE-2023-22527
·thedfirreport.com·
Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
Rogue communication devices found in Chinese solar power inverters
Rogue communication devices found in Chinese solar power inverters
  • Rogue communication devices found in Chinese solar inverters Undocumented cellular radios also found in Chinese batteries U.S. says continually assesses risk with emerging technology * U.S. working to integrate 'trusted equipment' into the grid LONDON, May 14 (Reuters) - U.S. energy officials are reassessing the risk posed by Chinese-made devices that play a critical role in renewable energy infrastructure after unexplained communication equipment was found inside some of them, two people familiar with the matter said. Power inverters, which are predominantly produced in China, are used throughout the world to connect solar panels and wind turbines to electricity grids. They are also found in batteries, heat pumps and electric vehicle chargers. While inverters are built to allow remote access for updates and maintenance, the utility companies that use them typically install firewalls to prevent direct communication back to China. However, rogue communication devices not listed in product documents have been found in some Chinese solar power inverters by U.S experts who strip down equipment hooked up to grids to check for security issues, the two people said. Over the past nine months, undocumented communication devices, including cellular radios, have also been found in some batteries from multiple Chinese suppliers, one of them said. Reuters was unable to determine how many solar power inverters and batteries they have looked at. The rogue components provide additional, undocumented communication channels that could allow firewalls to be circumvented remotely, with potentially catastrophic consequences, the two people said. Both declined to be named because they did not have permission to speak to the media. "We know that China believes there is value in placing at least some elements of our core infrastructure at risk of destruction or disruption," said Mike Rogers, a former director of the U.S. National Security Agency. "I think that the Chinese are, in part, hoping that the widespread use of inverters limits the options that the West has to deal with the security issue." A spokesperson for the Chinese embassy in Washington said: "We oppose the generalisation of the concept of national security, distorting and smearing China's infrastructure achievements."
#reuters#EN#2025#solar#panels#inverters#China#US#kill-switch#energy
·reuters.com·
Rogue communication devices found in Chinese solar power inverters
You're Invited: Delivering malware via Google Calendar invites and PUAs
You're Invited: Delivering malware via Google Calendar invites and PUAs
Threat actor used malicious Google Invites and hidden Unicode “Private Use Access” characters (PUAs) to brilliantly obfuscate and hide a malicious NPM package. On March 19th, 2025, we discovered a package called os-info-checker-es6 and were taken aback. We could tell it was not doing what it said on the tin. But what's the deal? We decided to investigate the matter and initially hit some dead ends. But patience pays off, and we eventually got most of the answers we sought. We also learned about Unicode PUAs (No, not pick-up artists). It was a roller coaster ride of emotions!
#aikido.dev#2025#EN#Google-Invites#Unicode#obfuscate#NPM#package
·aikido.dev·
You're Invited: Delivering malware via Google Calendar invites and PUAs
Twilio denies breach following leak of alleged Steam 2FA codes
Twilio denies breach following leak of alleged Steam 2FA codes
Twilio has denied in a statement for BleepingComputer that it was breached after a threat actor claimed to be holding over 89 million Steam user records with one-time access codes. The threat actor, using the alias Machine1337 (also known as EnergyWeaponsUser), advertised a trove of data allegedly pulled from Steam, offering to sell it for $5,000. When examining the leaked files, which contained 3,000 records, BleepingComputer found historic SMS text messages with one-time passcodes for Steam, including the recipient's phone number. Owned by Valve Corporation, Steam is the world's largest digital distribution platform for PC games, with over 120 million monthly active users. Valve did not respond to our requests for a comment on the threat actor's claims. Independent games journalist MellolwOnline1, who is also the creator of the SteamSentinels community group that monitors abuse and fraud in the Steam ecosystem, suggests that the incident is a supply-chain compromise involving Twilio. MellowOnline1 pointed to technical evidence in the leaked data that indicates real-time SMS log entries from Twilio's backend systems, hypothesizing a compromised admin account or abuse of API keys.
#bleepingcomputer#EN#2025#Sale#SMS#Steam#Supply-Chain#Supply-Chain-Attack#Third-Party-Data-Breach#Twilio#denied
·bleepingcomputer.com·
Twilio denies breach following leak of alleged Steam 2FA codes
Hackers exploit VMware ESXi, Microsoft SharePoint zero-days at Pwn2Own
Hackers exploit VMware ESXi, Microsoft SharePoint zero-days at Pwn2Own
During the second day of Pwn2Own Berlin 2025, competitors earned $435,000 after exploiting zero-day bugs in multiple products, including Microsoft SharePoint, VMware ESXi, Oracle VirtualBox, Red Hat Enterprise Linux, and Mozilla Firefox. The highlight was a successful attempt from Nguyen Hoang Thach of STARLabs SG against the VMware ESXi, which earned him $150,000 for an integer overflow exploit. Dinh Ho Anh Khoa of Viettel Cyber Security was awarded $100,000 for hacking Microsoft SharePoint by leveraging an exploit chain combining an auth bypass and an insecure deserialization flaw. Palo Alto Networks' Edouard Bochin and Tao Yan also demoed an out-of-bounds write zero-day in Mozilla Firefox, while Gerrard Tai of STAR Labs SG escalated privileges to root on Red Hat Enterprise Linux using a use-after-free bug, and Viettel Cyber Security used another out-of-bounds write for an Oracle VirtualBox guest-to-host escape. In the AI category, Wiz Research security researchers used a use-after-free zero-day to exploit Redis and Qrious Secure chained four security flaws to hack Nvidia's Triton Inference Server. On the first day, competitors were awarded $260,000 after successfully exploiting zero-day vulnerabilities in Windows 11, Red Hat Linux, and Oracle VirtualBox, reaching a total of $695,000 earned over the first two days of the contest after demonstrating 20 unique 0-days. ​​​The Pwn2Own Berlin 2025 hacking competition focuses on enterprise technologies, introduces an AI category for the first time, and takes place during the OffensiveCon conference between May 15 and May 17.
#bleepingcomputer#EN#2025#Firefox#NVIDIA#Pwn2Own#Red-Hat#Redis#SharePoint#VirtualBox#Vmware-ESXi#Zero-Day#BugBounty
·bleepingcomputer.com·
Hackers exploit VMware ESXi, Microsoft SharePoint zero-days at Pwn2Own
US man who hacked SEC's X account to spike Bitcoin price sentenced to prison | TechCrunch
US man who hacked SEC's X account to spike Bitcoin price sentenced to prison | TechCrunch
US man who hacked SEC’s X account to spike Bitcoin price sentenced to prison Eric Council Jr., 26, was sentenced to 14 months in prison and three years of supervised release on Friday for participating in the hack of the official X account of the U.S. Securities and Exchange Commission. The U.S. Department of Justice announced the sentencing in a press release. Council and other hackers took over the SEC’s X account in 2024 to falsely announce that the agency had approved Bitcoin exchange traded funds, or ETFs, which shot up the price of the cryptocurrency before later dropping. According to the DOJ, Council and his co-conspirators performed a SIM swap attack against the cellphone account of a person who had access to the SEC’s X account, which allowed the hackers to take control of their phone number. From there, the hackers reset the password of the SEC’s X account, granting them control of the account.
#techcrunch#EN#2025#SEC#Twitter#hacked#bitcoin#US#prison
·techcrunch.com·
US man who hacked SEC's X account to spike Bitcoin price sentenced to prison | TechCrunch
Printer company provided infected software downloads for half a year
Printer company provided infected software downloads for half a year
When Cameron Coward, the Youtuber behind the channel Serial Hobbyism, wanted to review a $6k UV printer and plugged in the USB flash drive with the printer software, the Antivirus software alerted him of a USB-spreading worm and a Floxif infection. Floxif is a file infector that attaches itself to Portable Executable files, so it can spread to network shares, removable drives like USB flash drives or backup storage systems. The printer company Procolored assured him at first that these were false positives. Nevertheless, Cameron turned to Reddit in the hopes of finding a professional malware analyst who can figure out the truth. All these software downloads are available on mega.nz with a different mega folder link for each product. Overall, there are 8 GB of files and archives for all six products. Most files were last updated in October 2024, which is six months ago at the time of writing.
#gdatasoftware#EN#2025#UVprinter#printer#driver#malware#Floxif
·gdatasoftware.com·
Printer company provided infected software downloads for half a year
Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428)
Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428)
Keeping your ears to the ground and eyes wide open for the latest vulnerability news at watchTowr is a given. Despite rummaging through enterprise code looking for 0days on a daily basis, our interest was piqued this week when news of fresh vulnerabilities was announced in a close friend - Keeping your ears to the ground and eyes wide open for the latest vulnerability news at watchTowr is a given. Despite rummaging through enterprise code looking for 0days on a daily basis, our interest was piqued this week when news of fresh vulnerabilities was announced in a close friend - Ivanti, and their Endpoint Manager Mobile (Ivanti EPMM) solution. For those out of the loop, don’t worry - as always, we’re here to fill you in. Ivanti Endpoint Manager Mobile (EPMM) is an MDM solution for system administrators to install and manage devices within an organization. It hopes to prevent you from installing malware or enjoying your life by watching YouTube during any permitted and sanctioned downtime. Why Is This Important? Well, short of their intended functionality, MDM solutions are, in a sense, C2 frameworks for enterprises… allowing system administrators to manage software on their devices. Picture this: You’ve compromised the MDM solution at one of the largest banks and are able to deploy malicious software at scale to employee devices. And it's Friday!
#labs.watchtowr.com#EN#2025#Ivanti#EPMM#Unauth#RCE#CVE-2025-4427#CVE-2025-4428
·labs.watchtowr.com·
Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428)
Trump's sanctions on ICC prosecutor have halted tribunal's work
Trump's sanctions on ICC prosecutor have halted tribunal's work
The International Criminal Court ’s chief prosecutor has lost access to his email, and his bank accounts have been frozen. The Hague-based court’s American staffers have been told that if they travel to the U.S. they risk arrest. Some nongovernmental organizations have stopped working with the ICC and the leaders of one won’t even reply to emails from court officials. Those are just some of the hurdles facing court staff since U.S. President Donald Trump in February slapped sanctions on its chief prosecutor, Karim Khan, according to interviews with current and former ICC officials, international lawyers and human rights advocates. The sanctions will “prevent victims from getting access to justice,” said Liz Evenson, international justice director at Human Rights Watch. Trump sanctioned the court after a panel of ICC judges in November issued arrest warrants for Israeli Prime Minister Benjamin Netanyahu and his former defense minister, Yoav Gallant. Judges found there was reason to believe that the pair may have committed war crimes by restricting humanitarian aid and intentionally targeting civilians in Israel’s campaign against Hamas in Gaza — charges Israeli officials deny. One reason the the court has been hamstrung is that it relies heavily on contractors and non-governmental organizations. Those businesses and groups have curtailed work on behalf of the court because they were concerned about being targeted by U.S. authorities, according to current and former ICC staffers. Microsoft, for example, cancelled Khan’s email address, forcing the prosecutor to move to Proton Mail, a Swiss email provider, ICC staffers said. His bank accounts in his home country of the U.K. have been blocked. Microsoft did not respond to a request for comment. Staffers at an NGO that plays an integral role in the court’s efforts to gather evidence and find witnesses said the group has transferred money out of U.S. bank accounts because they fear it might be seized by the Trump administration.
#apnews.com#EN#2025#Donald-Trump#NGO#US#Microsoft#ICC#email#address#blocked
·apnews.com·
Trump's sanctions on ICC prosecutor have halted tribunal's work
EU bug database fully operational as US slashes infosec
EU bug database fully operational as US slashes infosec
The European Vulnerability Database (EUVD) is now fully operational, offering a streamlined platform to monitor critical and actively exploited security flaws amid the US struggles with budget cuts, delayed disclosures, and confusion around the future of its own tracking systems. As of Tuesday, the full-fledged version of the website is up and running. "The EU is now equipped with an essential tool designed to substantially improve the management of vulnerabilities and the risks associated with it," ENISA Executive Director Juhan Lepassaar said in a statement announcing the EUVD. "The database ensures transparency to all users of the affected ICT products and services and will stand as an efficient source of information to find mitigation measures," Lepassaar continued. The European Union Agency for Cybersecurity (ENISA) first announced the project in June 2024 under a mandate from the EU's Network and Information Security 2 Directive, and quietly rolled out a limited-access beta version last month during a period of uncertainty surrounding the United States' Common Vulnerabilities and Exposures (CVE) program. Register readers — especially those tasked with vulnerability management — will recall that the US government's funding for the CVE program was set to expire in April until the US Cybersecurity and Infrastructure Security Agency, aka CISA, swooped in at the 11th hour and renewed the contract with MITRE to operate the initiative.
#theregister#EN#2025#EU#EUVD#operational#CVE#ENISA
·theregister.com·
EU bug database fully operational as US slashes infosec
Open-source toolset of an Ivanti CSA attacker
Open-source toolset of an Ivanti CSA attacker
In September and October 2024, Ivanti published multiple1 security2 advisories3 regarding security policy bypasses and remote code execution vulnerabilities in their Cloud Services Appliance (CSA) product. It was later revealed by FortiGuard Labs Threat Research's work4 that some threat actors had been actively chaining these vulnerabilities as early as September 9, 2024, before any security advisory or patch was publicly released by Ivanti. In some compromise scenarios, even though the initial access stemmed from the exploitation of zero-day vulnerabilities, later stages were short of such proficient attacker tradecraft. Threat actors were seen using known malicious tools and noisy payloads for lateral movement, persistence and credential dumping. Synacktiv's CSIRT was recently in charge of different forensic investigations where the root cause was a vulnerable CSA appliance exposed to the internet. During these engagements, we found a set of open-source tools used by the attacker to achieve its goals. In this article, we take a tour of the OSS toolset from an Ivanti CSA exploiter and discuss related detection capabilities. suo5 iox * atexec-pro
#synacktiv#EN#2025#analisys#Ivanti#CSA#attacker#toolset#CSIRT#forensic
·synacktiv.com·
Open-source toolset of an Ivanti CSA attacker
Breaking Out of Restricted Mode: XSS to RCE in Visual Studio Code
Breaking Out of Restricted Mode: XSS to RCE in Visual Studio Code
In April 2024, I discovered a high-severity vulnerability in Visual Studio Code (VS Code 1.89.1) that allows attackers to escalate a Cross-Site Scripting (XSS) bug into full Remote Code Execution (RCE)—even in Restricted Mode. The desktop version of Visual Studio Code runs on Electron. Renderer processes are sandboxed and communicate with the main process through Electron’s IPC mechanism. An XSS vulnerability in the newly-introduced minimal error rendering mode for Jupyter notebooks enables arbitrary JavaScript code to be executed within the vscode-app WebView for the notebook renderer. The vulnerability can be triggered by opening a crafted .ipynb file if the user has the setting enabled, or by opening a folder containing a crafted settings.json file in VS Code and opening a malicious ipynb file within the folder. This vulnerability can be triggered even when Restricted Mode is enabled (which is the default for workspaces that have not been explicitly trusted by the user). In this post, we’ll walk through how the bug works and how it bypasses VS Code’s Restricted Mode.
#starlabs.sg#EN#2025#XSS#Visual#VisualStudio#RCE#Electron
·starlabs.sg·
Breaking Out of Restricted Mode: XSS to RCE in Visual Studio Code
Protecting Our Customers - Standing Up to Extortionists
Protecting Our Customers - Standing Up to Extortionists
Cyber criminals bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data to facilitate social engineering attacks. These insiders abused their access to customer support systems to steal the account data for a small subset of customers. No passwords, private keys, or funds were exposed and Coinbase Prime accounts are untouched. We will reimburse customers who were tricked into sending funds to the attacker. We’re cooperating closely with law enforcement to pursue the harshest penalties possible and will not pay the $20 million ransom demand we received. Instead we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible for this attack. What happened Criminals targeted our customer support agents overseas. They used cash offers to convince a small group of insiders to copy data in our customer support tools for less than 1% of Coinbase monthly transacting users. Their aim was to gather a customer list they could contact while pretending to be Coinbase—tricking people into handing over their crypto. They then tried to extort Coinbase for $20 million to cover this up. We said no. What they got Name, address, phone, and email Masked Social Security (last 4 digits only) Masked bank‑account numbers and some bank account identifiers Government‑ID images (e.g., driver’s license, passport) Account data (balance snapshots and transaction history) Limited corporate data (including documents, training material, and communications available to support agents)
#coinbase#EN#2025#cyberattack#extortion#theft#Data-Breach
·coinbase.com·
Protecting Our Customers - Standing Up to Extortionists
Ivanti warns of critical Neurons for ITSM auth bypass flaw
Ivanti warns of critical Neurons for ITSM auth bypass flaw
​Ivanti has released security updates for its Neurons for ITSM IT service management solution that mitigate a critical authentication bypass vulnerability. Tracked as CVE-2025-22462, the security flaw can let unauthenticated attackers gain administrative access to unpatched systems in low-complexity attacks, depending on system configuration. As the company highlighted in a security advisory released today, organizations that followed its guidance are less exposed to attacks. "Customers who have followed Ivanti's guidance on securing the IIS website and restricted access to a limited number of IP addresses and domain names have a reduced risk to their environment," Ivanti said. "Customers who have users log into the solution from outside their company network also have a reduced risk to their environment if they ensure that the solution is configured with a DMZ." Ivanti added that CVE-2025-22462 only impacts on-premises instances running versions 2023.4, 2024.2, 2024.3, and earlier, and said that it found no evidence that the vulnerability is being exploited to target customers. Product Name Affected Version(s) Resolved Version(s) Ivanti Neurons for ITSM (on-prem only) 2023.4, 2024.2, and 2024.3 2023.4 May 2025 Security Patch 2024.2 May 2025 Security Patch 2024.3 May 2025 Security Patch The company also urged customers today to patch a default credentials security flaw (CVE-2025-22460) in its Cloud Services Appliance (CSA) that can let local authenticated attackers escalate privileges on vulnerable systems. While this vulnerability isn't exploited in the wild either, Ivanti warned that the patch won't be applied correctly after installing today's security updates and asked admins to reinstall from scratch or use these mitigation steps to ensure their network is protected from potential attacks.
#bleepingcomputer#EN#2025#Authentication#Authentication-Bypass#Bypass#Ivanti#Neurons-for-ITSM#Vulnerability
·bleepingcomputer.com·
Ivanti warns of critical Neurons for ITSM auth bypass flaw
China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures
China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures
EclecticIQ analysts assess with high confidence that, in April 2025, China-nexus nation-state APTs (advanced persistent threat) launched high-temp exploitation campaigns against critical infrastructure networks by targeting SAP NetWeaver Visual Composer. Actors leveraged CVE-2025-31324 [1], an unauthenticated file upload vulnerability that enables remote code execution (RCE). This assessment is based on a publicly exposed directory (opendir) found on attacker-controlled infrastructure, which contained detailed event logs capturing operations across multiple compromised systems. EclecticIQ analysts link observed SAP NetWeaver intrusions to Chinese cyber-espionage units including UNC5221 [2], UNC5174 [3], and CL-STA-0048 [4] based on threat actor tradecrafts patterns. Mandiant and Palo Alto researchers assess that these groups connect to China's Ministry of State Security (MSS) or affiliated private entities. These actors operate strategically to compromise critical infrastructures, exfiltrate sensitive data, and maintain persistent access across high-value networks worldwide. Uncategorized China-Nexus Threat Actor Scanning the Internet for CVE-2025-31324 and Upload Webshells EclecticIQ analysts assess with high confidence that, a very likely China-nexus threat actor is conducting a widespread internet scanning and exploitation campaign against SAP NetWeaver systems. Threat actor–controlled server hosted at IP address 15.204.56[.]106 exposed the scope of the SAP NetWeaver intrusions [5].
#eclecticiq.com#EN#2025#exploitation#China-Nexus#China#attribution#CVE-2025-31324#SAP#NetWeaver
·blog.eclecticiq.com·
China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures