Found 6880 bookmarks
Newest
Data Leaks from the Chinese Hacking-for-Hire Industry
Data Leaks from the Chinese Hacking-for-Hire Industry
spycloud.com We analyzed the VenusTech and Salt Typhoon data leaks to uncover the latest trends in the Chinese criminal underground. In late May, two particularly interesting Chinese datasets appeared for sale in posts on DarkForums, an English-language data breach and leak forum that has become popular since BreachForums went dark in mid-April. These two posts, which we’re calling the VenusTech Data Leak and the Salt Typhoon Data Leak, had some interesting similarities. Both posts: Were posted by new accounts that appear to have been created explicitly to sell a single dataset Included data that allegedly came from companies in China’s large hack-for-hire ecosystem Included data samples that, while limited, give us some insight into the companies they came from While the samples provided on DarkForums were relatively small in comparison to previous data leaks of a similar nature (including Chinese IT contractor leaks, such as TopSec and iSoon), the latest leaks provide critical pivot points for assessing the state and structure of the Chinese cybersecurity contractor ecosystem. We wanted to take a moment to analyze these two recent posts, dive into the sample data, and make some connections between this activity and some overall trends we are observing in our research into the Chinese cybercriminal underground. Analysis of the VenusTech Data Leak VenusTech is a major IT security vendor in China with a focus on serving government clients. It was founded in 1996 and is traded on the Shenzhen Stock Exchange. They have previously documented ties to the hack-for-hire industry including procuring services from XFocus, who created the original Blaster worm in 2003, as well as providing startup funding to Integrity Tech, the company responsible for the offensive hacking activity associated with Flax Typhoon. On May 17, a post relating to VenusTech was created by an account called “IronTooth” and titled “Chinese tech company venus leaked documents.” The IronTooth account appears to have been newly created and simply uses the default profile image for DarkForums. The full post text reads: selling sourced leaked documents dump of chinese tech company. includes papers, products sold to government, accesses, clients and more random shit sold to highest bidder after 48h. crossposted.
#spycloud.com#EN#2025#Hacking-for-Hire#Industry#VenusTech#salt-typhoon#China
·spycloud.com·
Data Leaks from the Chinese Hacking-for-Hire Industry
Four arrested by UK police over ransomware attacks on M&S, Co-op and Harrods
Four arrested by UK police over ransomware attacks on M&S, Co-op and Harrods
Four individuals in Britain were arrested early on Thursday morning by the National Crime Agency on suspicion of involvement in a range of ransomware attacks targeting the British retail sector earlier this year. The individuals are a 20-year-old British woman from Staffordshire, a 19-year-old Latvian male from the West Midlands, a 19-year-old British man from London and a 17-year-old British male from the West Midlands. All four are now in custody having been arrested at home, and the NCA said its officers have seized their electronic devices for forensic analysis. The individuals are suspected of involvement in three incidents in April impacting British retailers Marks & Spencer, the Co-op and the London-based luxury store Harrods. The NCA said the individuals are suspected of Computer Misuse Act offenses, blackmail, money laundering and participating in the activities of an organized crime group. “Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the Agency’s highest priorities,” said Paul Foster, the head of the NCA’s National Cyber Crime Unit. “Today’s arrests are a significant step in that investigation but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice. “Cyber attacks can be hugely disruptive for businesses and I’d like to thank M&S, Co-op and Harrods for their support to our investigations. Hopefully this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process. The NCA and policing are here to help.”
#therecord.media#EN#2025#busted#Scattered-Spider
·therecord.media·
Four arrested by UK police over ransomware attacks on M&S, Co-op and Harrods
Data Brokers are Selling Your Flight Information to CBP and ICE
Data Brokers are Selling Your Flight Information to CBP and ICE
For many years, data brokers have existed in the shadows, exploiting gaps in privacy laws to harvest our information—all for their own profit. They sell our precise movements without our knowledge or meaningful consent to a variety of private and state actors, including law enforcement agencies. And they show no sign of stopping. This incentivizes other bad actors. If companies collect any kind of personal data and want to make a quick buck, there’s a data broker willing to buy it and sell it to the highest bidder–often law enforcement and intelligence agencies. One recent investigation by 404 Media revealed that the Airlines Reporting Corporation (ARC), a data broker owned and operated by at least eight major U.S. airlines, including United Airlines and American Airlines, collected travelers’ domestic flight records and secretly sold access to U.S. Customs and Border Protection (CBP). Despite selling passengers’ names, full flight itineraries, and financial details, the data broker prevented U.S. border forces from revealing it as the origin of the information. So, not only is the government doing an end run around the Fourth Amendment to get information where they would otherwise need a warrant—they’ve also been trying to hide how they know these things about us. ARC’s Travel Intelligence Program (TIP) aggregates passenger data and contains more than one billion records spanning 39 months of past and future travel by both U.S. and non-U.S. citizens. CBP, which sits within the U.S. Department of Homeland Security (DHS), claims it needs this data to support local and state police keeping track of people of interest. But at a time of growing concerns about increased immigration enforcement at U.S. ports of entry, including unjustified searches, law enforcement officials will use this additional surveillance tool to expand the web of suspicion to even larger numbers of innocent travelers. More than 200 airlines settle tickets through ARC, with information on more than 54% of flights taken globally. ARC’s board of directors includes representatives from U.S. airlines like JetBlue and Delta, as well as international airlines like Lufthansa, Air France, and Air Canada. In selling law enforcement agencies bulk access to such sensitive information, these airlines—through their data broker—are putting their own profits over travelers' privacy. U.S. Immigration and Customs Enforcement (ICE) recently detailed its own purchase of personal data from ARC. In the current climate, this can have a detrimental impact on people’s lives.
#eff#EN#2025#privacy#data-broker#US#ICE
·eff.org·
Data Brokers are Selling Your Flight Information to CBP and ICE
New “Opossum” Attack Breaches Secure TLS by Injecting Malicious Messages
New “Opossum” Attack Breaches Secure TLS by Injecting Malicious Messages
gbhackers.com July 10, 2025 - A newly discovered man-in-the-middle exploit dubbed “Opossum” has demonstrated the unsettling ability to compromise secure communications. Researchers warn that Opossum targets a wide range of widely used application protocols—including HTTP, FTP, POP3, SMTP, LMTP and NNTP—that support both “implicit” TLS on dedicated ports and “opportunistic” TLS via upgrade mechanisms. By exploiting subtle implementation differences between these two modes, an attacker can provoke a desynchronization between client and server, ultimately subverting the integrity guarantees of TLS and manipulating the data seen by the client. The Opossum attack is built upon vulnerabilities first highlighted in the ALPACA attack, which identified weaknesses in TLS authentication when application protocols allow switching between encrypted and plaintext channels. Even with ALPACA countermeasures in place, Opossum finds fresh leverage points at the application layer. When a client connects to a server’s implicit TLS port—such as HTTPS on port 443—the attacker intercepts and redirects the request to the server’s opportunistic-TLS endpoint on port 80. By posing as the client, the attacker initiates a plaintext session that is then upgraded to TLS with crafted “Upgrade” headers. Simultaneously, the attacker relays the original client’s handshake to the server, mapping the two TLS sessions behind the scenes.
#gbhackers#EN#2025#Opossum#man-in-the-middle#TLS#injection#desynchronization#ALPACA
·gbhackers.com·
New “Opossum” Attack Breaches Secure TLS by Injecting Malicious Messages
French intel chief warns of evolving Russian hybrid operations, ‘existential threat’ to Europe | The Record from Recorded Future News
French intel chief warns of evolving Russian hybrid operations, ‘existential threat’ to Europe | The Record from Recorded Future News
therecord.media July 9th, 2025 - DGSE intelligence head Nicolas Lerner said Moscow’s tactics are evolving and increasingly include on-the-ground activities carried out by paid operatives. France’s top intelligence official has warned that Russia is waging "a war of influence" against the country through hybrid online disinformation, espionage and sabotage operations. Nicolas Lerner, head of the DGSE foreign intelligence agency, said in an interview with French broadcaster LCI that Moscow’s tactics are evolving and now include physical operations carried out by paid intermediaries. He cited an incident last year in which suspected Russian saboteurs placed coffins near the Eiffel Tower draped in the French flag bearing the inscription “French soldiers of Ukraine.” “These are not amateur operations,” Lerner said. “They reflect a desire to disrupt our information space and undermine trust in our institutions.” He said that around 80 Russian agents were active in France before Russia’s full-scale invasion of Ukraine in 2022, and that 50 of them have since been expelled. Paris has also imposed sanctions on individuals linked to Moscow’s intelligence services. Lerner warned that Russia poses a medium- and long-term “existential threat” to Europe, its democracies and its values. His comments come amid alarm over a growing wave of alleged Russian hybrid operations across Europe. In recent months, NATO allies and EU member states have reported suspected sabotage, cyberattacks, and disinformation campaigns linked to Moscow. In June, trains between Amsterdam and The Hague were disrupted in what Dutch authorities suspect was a sabotage attempt tied to the NATO summit. Around the same time, pro-Russian hacktivists claimed responsibility for distributed denial-of-service attacks targeting summit-related organizations. In France, the high-speed rail network was hit by coordinated sabotage just hours before last year’s Olympic Games opening ceremony, affecting lines around Paris. Polish officials recently accused Russian intelligence of orchestrating a 2024 fire at a major Warsaw shopping mall. Warsaw responded by shutting down a Russian consulate. On Tuesday, three South London men were found guilty of carrying out an arson attack on a depot housing humanitarian aid intended for Ukraine. The men were hired by the Wagner Group, a private militia that has acted under the orders of the Kremlin. European officials have also warned of cyber operations targeting military, government, and critical infrastructure across the continent. On Wednesday, German media reported that a Kremlin-linked hacking group is attempting to steal sensitive data from the German armed forces.
#therecord.media#EN#2025#Russia#France#hybrid-operations#war-of-influence
·therecord.media·
French intel chief warns of evolving Russian hybrid operations, ‘existential threat’ to Europe | The Record from Recorded Future News
Canadian media giant Rogers named as victim of Chinese telecom hackers - Nextgov/FCW
Canadian media giant Rogers named as victim of Chinese telecom hackers - Nextgov/FCW
nextgov.com - July 9, 2025 09:30 AM ET Rogers is Canada’s top wireless provider and is among that nation’s core telecom firms mandated to comply with Canadian lawful access rules, which require them to share user data with investigators. Canadian telecom and mass media provider Rogers Communications was identified as a firm ensnared by a major Chinese hacking group that has targeted dozens of communications firms worldwide, according to two people familiar with the matter. The group, known as Salt Typhoon, was discovered inside a batch of American telecom operators last year and first brought to light by the Wall Street Journal in late September. The campaign likely began around two to three years ago and has expanded rapidly since. It’s not immediately clear what data, assets or other information were pilfered from Rogers networks. The people spoke on the condition of anonymity because the matter is sensitive. “These allegations are false. We were not compromised by Salt Typhoon and this has been verified by two independent cyber security firms. As part of ongoing work, we partner with government and industry to proactively monitor and investigate potential threats,” a company spokesperson said. "It’s important to note that if the Cyber Centre is aware of cyber threat activity in Canada, we alert the organization and provide mitigation support, advice and guidance," a spokesperson for the Canadian Centre for Cyber Security said, noting that they do not comment on specific or alleged cyber incidents but pointing to advisories they have issued about the threat posed by Salt Typhoon. "Through the Canadian Security Telecommunications Advisory Committee (CSTAC), the Cyber Centre and its government partners regularly and actively engage with Canadian telecommunications service providers and key equipment suppliers to help ensure the security of Canadian critical telecommunications infrastructure," they said. Rogers is the country’s top wireless provider and boasts some 20 million subscribers across its various services, a company webpage says. Over 60% percent of Canadian households rely on its internet, it notes. It also has extensive contracts with Canada’s government. Canada, like many countries with robust telecom networks, has laws that let federal investigators compel providers to turn over communications metadata on individuals suspected of criminal activity, hacking or espionage. Rogers is among those required to comply with these Canadian “lawful access” inquiries. In 2023, the company disclosed data on some 162,000 customers to authorities under lawful access requests backed by warrants and government orders, a transparency report shows. Salt Typhoon has gone after those same wiretap environments in the U.S., and likely abused those platforms when it directly targeted the communications of President Donald Trump and Vice President JD Vance during their run for the White House last year. Last month, Canada’s cybersecurity agency released a bulletin warning that Salt Typhoon was targeting telecommunications firms in the country. “Three network devices registered to a Canadian telecommunications company were compromised by likely Salt Typhoon actors in mid-February 2025,” says the bulletin, which doesn’t name the firm. The agency identified a 2023 vulnerability in Cisco routers that was used as an access point into the unnamed Canadian provider. Cisco equipment that has not been patched with the latest security updates has provided the Chinese telecom hackers with a wide access point into various communications systems, according to earlier assessments. That same 2023 vulnerability is detailed in a Cisco threat intelligence blog released in February.
#nextgov.com#EN#2025#canada#salt-typhoon#rogers
·nextgov.com·
Canadian media giant Rogers named as victim of Chinese telecom hackers - Nextgov/FCW
Would you like an IDOR with that? Leaking 64 million McDonald’s job applications
Would you like an IDOR with that? Leaking 64 million McDonald’s job applications
Ian Carroll, Sam Curry / ian.sh When applying for a job at McDonald's, over 90% of franchises use "Olivia," an AI-powered chatbot. We discovered a vulnerability that could allow an attacker to access more than 64 million job applications. This data includes applicants' names, resumes, email addresses, phone numbers, and personality test results. McHire is the chatbot recruitment platform used by 90% of McDonald’s franchisees. Prospective employees chat with a bot named Olivia, created by a company called Paradox.ai, that collects their personal information, shift preferences, and administers personality tests. We noticed this after seeing complaints on Reddit of the bot responding with nonsensical answers. During a cursory security review of a few hours, we identified two serious issues: the McHire administration interface for restaurant owners accepted the default credentials 123456:123456, and an insecure direct object reference (IDOR) on an internal API allowed us to access any contacts and chats we wanted. Together they allowed us and anyone else with a McHire account and access to any inbox to retrieve the personal data of more than 64 million applicants. We disclosed this issue to Paradox.ai and McDonald’s at the same time. 06/30/2025 5:46PM ET: Disclosed to Paradox.ai and McDonald’s 06/30/2025 6:24PM ET: McDonald’s confirms receipt and requests technical details 06/30/2025 7:31PM ET: Credentials are no longer usable to access the app 07/01/2025 9:44PM ET: Followed up on status 07/01/2025 10:18PM ET: Paradox.ai confirms the issues have been resolved
#ian.sh#EN#2025#McHire#chatbot#recruitment#McDonald#vulnerabilies
·ian.sh·
Would you like an IDOR with that? Leaking 64 million McDonald’s job applications
Pay2Key’s Resurgence: Iranian Cyber Warfare Targets the West
Pay2Key’s Resurgence: Iranian Cyber Warfare Targets the West
morphisec - In the volatile aftermath of the Israel-Iran-USA conflict, a sophisticated cyber threat has re-emerged, targeting organizations across the West. Morphisec’s threat research team has uncovered the revival of Pay2Key, an Iranian-backed ransomware-as-a-service (RaaS) operation, now operating as Pay2Key.I2P. Linked to the notorious Fox Kitten APT group and closely tied to the well-known Mimic ransomware, previously analyzed by Morphisec for its ELENOR-Corp variant, Pay2Key.I2P appears to partner with or incorporate Mimic’s capabilities. Officially, the group offers an 80% profit share (up from 70%) to affiliates supporting Iran or participating in attacks against the enemies of Iran, signaling their ideological commitment. With over $4 million in ransom payments collected in just four months and individual operators boasting $100,000 in profits, this campaign merges technical prowess with geopolitical motives. Our upcoming report includes personal communications from the group, revealing their dedication and the reasons behind rewriting their ransomware. This blog introduces our technical analysis and OSINT findings, exposing Pay2Key.I2P’s operations and its ties to Mimic. ince its debut in February 2025, Pay2Key.I2P has expanded rapidly. Strategic marketing on Russian and Chinese darknet forums, combined with a presence on X since January 2025, indicates a planned rollout. With over 51 successful ransom payouts in four months, the group’s effectiveness is undeniable. While profit is a motivator, Pay2Key.I2P’s ideological agenda is clear. Their focus on Western targets, coupled with rhetoric tied to Iran’s geopolitical stance, positions this campaign as a tool of cyber warfare. The addition of a Linux-targeted ransomware build in June 2025 further expands their attack surface, threatening diverse systems.
#morphisec#EN#2025#Pay2Key#Cyber-Warfare#Iran
·morphisec.com·
Pay2Key’s Resurgence: Iranian Cyber Warfare Targets the West
11 Google-Verified Chrome Extensions Infected Over 1.7 Million Users
11 Google-Verified Chrome Extensions Infected Over 1.7 Million Users
gbhackers - A chilling discovery by Koi Security has exposed a sophisticated browser hijacking campaign dubbed “RedDirection,” compromising over 1.7 million users through 11 Google-verified Chrome extensions. This operation, which also spans Microsoft Edge with additional extensions totaling 2.3 million infections across platforms, exploited trusted signals like verification badges, featured placements, and high install counts to distribute malware under the guise of legitimate productivity and entertainment tools. The RedDirection campaign stands out due to its deceptive strategy of remaining benign for years before introducing malicious code via silent updates, a tactic that evaded scrutiny from both Google and Microsoft’s extension marketplaces. These updates, auto-installed without user intervention, transformed trusted tools into surveillance platforms capable of tracking every website visit, capturing URLs, and redirecting users to fraudulent pages via command-and-control (C2) infrastructure like admitclick.net and click.videocontrolls.com.
#gbhackers#EN#2025#malicious#Chrome#Extensions#RedDirection
·gbhackers.com·
11 Google-Verified Chrome Extensions Infected Over 1.7 Million Users
Microsoft Patch Tuesday, July 2025 Edition – Krebs on Security
Microsoft Patch Tuesday, July 2025 Edition – Krebs on Security
krebsonsecurity - Microsoft today released updates to fix at least 137 security vulnerabilities in its Windows operating systems and supported software. None of the weaknesses addressed this month are known to be actively exploited, but 14 of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited to seize control over vulnerable Windows PCs with little or no help from users. While not listed as critical, CVE-2025-49719 is a publicly disclosed information disclosure vulnerability, with all versions as far back as SQL Server 2016 receiving patches. Microsoft rates CVE-2025-49719 as less likely to be exploited, but the availability of proof-of-concept code for this flaw means its patch should probably be a priority for affected enterprises. Mike Walters, co-founder of Action1, said CVE-2025-49719 can be exploited without authentication, and that many third-party applications depend on SQL server and the affected drivers — potentially introducing a supply-chain risk that extends beyond direct SQL Server users. “The potential exposure of sensitive information makes this a high-priority concern for organizations handling valuable or regulated data,” Walters said. “The comprehensive nature of the affected versions, spanning multiple SQL Server releases from 2016 through 2022, indicates a fundamental issue in how SQL Server handles memory management and input validation.” Adam Barnett at Rapid7 notes that today is the end of the road for SQL Server 2012, meaning there will be no future security patches even for critical vulnerabilities, even if you’re willing to pay Microsoft for the privilege. Barnett also called attention to CVE-2025-47981, a vulnerability with a CVSS score of 9.8 (10 being the worst), a remote code execution bug in the way Windows servers and clients negotiate to discover mutually supported authentication mechanisms. This pre-authentication vulnerability affects any Windows client machine running Windows 10 1607 or above, and all current versions of Windows Server. Microsoft considers it more likely that attackers will exploit this flaw. Microsoft also patched at least four critical, remote code execution flaws in Office (CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702). The first two are both rated by Microsoft as having a higher likelihood of exploitation, do not require user interaction, and can be triggered through the Preview Pane. Two more high severity bugs include CVE-2025-49740 (CVSS 8.8) and CVE-2025-47178 (CVSS 8.0); the former is a weakness that could allow malicious files to bypass screening by Microsoft Defender SmartScreen, a built-in feature of Windows that tries to block untrusted downloads and malicious sites. CVE-2025-47178 involves a remote code execution flaw in Microsoft Configuration Manager, an enterprise tool for managing, deploying, and securing computers, servers, and devices across a network. Ben Hopkins at Immersive Labs said this bug requires very low privileges to exploit, and that it is possible for a user or attacker with a read-only access role to exploit it. “Exploiting this vulnerability allows an attacker to execute arbitrary SQL queries as the privileged SMS service account in Microsoft Configuration Manager,” Hopkins said. “This access can be used to manipulate deployments, push malicious software or scripts to all managed devices, alter configurations, steal sensitive data, and potentially escalate to full operating system code execution across the enterprise, giving the attacker broad control over the entire IT environment.” Separately, Adobe has released security updates for a broad range of software, including After Effects, Adobe Audition, Illustrator, FrameMaker, and ColdFusion. The SANS Internet Storm Center has a breakdown of each individual patch, indexed by severity. If you’re responsible for administering a number of Windows systems, it may be worth keeping an eye on AskWoody for the lowdown on any potentially wonky updates (considering the large number of vulnerabilities and Windows components addressed this month). If you’re a Windows home user, please consider backing up your data and/or drive before installing any patches, and drop a note in the comments if you encounter any problems with these updates.
#krebsonsecurity#EN#2025#Microsoft#July2025-PatchTuesday
·krebsonsecurity.com·
Microsoft Patch Tuesday, July 2025 Edition – Krebs on Security
A Marco Rubio impostor is using AI voice to call high-level officials
A Marco Rubio impostor is using AI voice to call high-level officials
The unknown individual contacted at least five government officials, including three foreign ministers, a U.S. governor and a member of Congress, according to a State Department cable. An impostor pretending to be Secretary of State Marco Rubio contacted foreign ministers, a U.S. governor and a member of Congress by sending them voice and text messages that mimic Rubio’s voice and writing style using artificial intelligence-powered software, according to a senior U.S. official and a State Department cable obtained by The Washington Post. U.S. authorities do not know who is behind the string of impersonation attempts but they believe the culprit was probably attempting to manipulate powerful government officials “with the goal of gaining access to information or accounts,” according to a cable sent by Rubio’s office to State Department employees. Using both text messaging and the encrypted messaging app Signal, which the Trump administration uses extensively, the impostor “contacted at least five non-Department individuals, including three foreign ministers, a U.S. governor, and a U.S. member of Congress,” said the cable, dated July 3. The impersonation campaign began in mid-June when the impostor created a Signal account using the display name “Marco.Rubio@state.gov” to contact unsuspecting foreign and domestic diplomats and politicians, said the cable. The display name is not his real email address. “The actor left voicemails on Signal for at least two targeted individuals and in one instance, sent a text message inviting the individual to communicate on Signal,” said the cable. It also noted that other State Department personnel were impersonated using email. When asked about the cable, the State Department responded that it would “carry out a thorough investigation and continue to implement safeguards to prevent this from happening in the future.” Officials declined to discuss the contents of the messages or the names of the diplomats and officials who were targeted.
#washingtonpost#EN#2025#impostor#deep-fake#US#Marco-Rubio#Signal#voicemails
·washingtonpost.com·
A Marco Rubio impostor is using AI voice to call high-level officials
Hackers Disrupt Russia's Drone Weaponization Network
Hackers Disrupt Russia's Drone Weaponization Network
A volunteer-run network of service centers halts custom firmware updates for DJI drones following a cyber attack. Can a cyber operation have an impact on drone warfare? Recent developments in Russia offer an example of how this can happen in a not-so-obvious way. On Friday, a volunteer group Russian Hackers for the Front (“Русские Хакеры – Фронту”, RH) known for building a customized firmware for DJI drones reported a cyber attack that affected its servers and end-point devices (terminals). While recovering from the attack, RH instructed hundreds of service centers to stop using its terminals until further notice, thus pausing a wide operation of weaponizing commercial drones. Although details are scanty, this is a rare publicly reported cyber attack that affects drones warfare and might have militarily significant consequences. In this post I will summarize what is known about the attack and provide additional information about the impact and who might be behind it.
#fromcyberia.substack.com#EN#2025#Disrupt#drones#Russia#Ukraine#Russian-Hackers-for-the-Front
·fromcyberia.substack.com·
Hackers Disrupt Russia's Drone Weaponization Network
Enterprise Software Extension Security & Management Platform
Enterprise Software Extension Security & Management Platform
How the Mellowtel library transforms browser extensions into a distributed web scraping network, making nearly one million devices an unwitting bot army. Many developers begin creating browser extensions with a strong passion to solve problems they believe others might face as well. Eventually, as extensions become more popular, the added burden of updates and maintenance can weigh heavily on developers who likely have other priorities. These developers might try to find paths to monetize their extensions, but it often isn't as simple as just putting a price tag on them. There are a handful of "monetization-as-a-service" companies that have emerged, promising developers a way to be compensated for their hard work. These companies offer software libraries that can be easily added to existing extensions (sometimes without requiring any new permissions!) and in return, extension developers begin getting paid as their extensions are used. Does that sound too good to be true? There are several of these libraries, but some of the more popular ones track user browsing behaviors to generate 'clickstream' data. The companies creating these libraries are targeting developers and are often advertising technology firms that aggregate the data and offer their clients (very large companies) realistic profiles of browsing behaviors for advertising purposes. Recently, we discovered a new monetization library developed by Mellowtel that pays extension developers in exchange for the "unused bandwidth" of users who have an extension installed. The reality could be far more sinister. We'll cover what that actually means, who is actually behind the library, and the cybersecurity risks a company should consider if they find an extension using this library.
#secureannex#EN#2025#browsers#Mellowtel#library#monetization-as-a-service
·secureannex.com·
Enterprise Software Extension Security & Management Platform
iPhone wingman app leaks 160K chat screenshots
iPhone wingman app leaks 160K chat screenshots
  • FlirtAI wingman app leaked 160K chat screenshots through unprotected cloud storage. Teenagers frequently used the app, making the breach more concerning for minors. Some individuals were likely unaware their conversations were screenshot and sent to third parties. Sending private screenshots to an AI-based “wingman” app is probably not the best idea. Who would have thought? Unfortunately, users of FlirtAI - Get Rizz & Dates will have to find out the hard way. The Cybernews research team recently discovered an unprotected Google Cloud Storage Bucket owned by Buddy Network GmbH, an iOS app developer. The exposed data was attributed to one of the company’s projects, FlirtAI - Get Rizz & Dates, an app that intends to analyze screenshots that users provide, promising to suggest appropriate replies. Meanwhile, the app makers leaked over 160K screenshots from messaging apps and dating profiles, belonging to individuals that users of the AI wingman wanted assistance with. What makes it worse is that, according to the team, leaked data indicates that FlirtAI - Get Rizz & Dates was often used by teenagers, who fed the AI screenshots of their conversations with their peers. “Due to the nature of the app, people most affected by the leak may be unaware that screenshots of their conversations even exist, let alone that they could be leaked on the internet,” the team said. After the team noted the company and the relevant Computer Emergency Response Team (CERT), Buddy Network GmbH closed the exposed bucket. We have reached out to the company for a comment and will update the article once we receive a reply.
#cybernews#EN#2025#app#data-leak#iPhone#ios#screenshots#unprotected#exposed
·cybernews.com·
iPhone wingman app leaks 160K chat screenshots
Critical Vulnerabilities in KIA Infotainment Let Attackers Inject Code with PNG Files
Critical Vulnerabilities in KIA Infotainment Let Attackers Inject Code with PNG Files
A recent security analysis has uncovered critical vulnerabilities in the infotainment systems of KIA vehicles, raising alarm across the automotive cybersecurity community. These flaws allow attackers to inject and execute malicious code through specially crafted PNG image files, potentially compromising vehicle safety and user privacy. Security researchers, during an in-depth examination of KIA’s head unit and its underlying Real-Time Operating System (RTOS), found that the infotainment firmware failed to properly validate certain image file formats—most notably PNG files. By exploiting this weakness, attackers could embed executable payloads inside images that, when processed by the infotainment system, triggered remote code execution. he attack leverages a buffer overflow vulnerability in the image parsing library used by KIA’s infotainment system. When a malicious PNG file is loaded—either via USB, Bluetooth, or over-the-air update—the system’s parser mishandles the image data, allowing the attacker’s code to overwrite critical memory regions. Attack Chain Initial Access: The attacker delivers a malicious PNG file to the vehicle (e.g., via a USB drive or compromised update). Payload Execution: The infotainment system parses the image, triggering the buffer overflow. Privilege Escalation: The injected code runs with system-level privileges, allowing full control over the head unit. Potential Impact: Attackers can manipulate vehicle settings, access personal data, or pivot to other vehicle networks such as the CAN bus.
#gbhackers#EN#2025#KIA#Vulnerabilities#Inject#code#Automotive#RTOS
·gbhackers.com·
Critical Vulnerabilities in KIA Infotainment Let Attackers Inject Code with PNG Files
The GPS Leak No One Talked About: Uffizio’s Silent Exposure
The GPS Leak No One Talked About: Uffizio’s Silent Exposure
A deep investigation by DeepSpecter.com uncovered a multi-year data exposure involving Uffizio, the software provider behind a widely used white-label GPS fleet management platform. Despite claiming GDPR compliance, Uffizio’s software — and its deployment by hundreds of global resellers — leaked sensitive fleet data across at least 12 countries for over five years, continuing even after a public CVE disclosure and an internal GDPR audit. The leaked data included SIM identifiers, license plates, company names, tracker IMEIs, and real-time activity — effectively mapping the movement of thousands of vehicles, including those operated by police, ambulances, municipal fleets, and even nuclear energy providers. The fact that Uffizio was quick to patch its software while exposure continued elsewhere underscores a broader issue: the delivery chain was broken, and we’ll expose that in a dedicated follow-up. This case makes one thing clear — compliance is not enough. Businesses responsible for real-world assets and lives cannot afford to treat security as a checkbox. When fleet systems tie directly to public safety and critical infrastruc data-leakture, the absence of active monitoring turns regulatory compliance into a false sense of protection. The risk is real, the impact is human, and silence is no longer an option.
#DeepSpecter.com#EN#2025#Uffizio#GPS#data-leak
·reporter.deepspecter.com·
The GPS Leak No One Talked About: Uffizio’s Silent Exposure
New Hpingbot Exploits Pastebin for Payload Delivery and Uses Hping3 for DDoS Attacks
New Hpingbot Exploits Pastebin for Payload Delivery and Uses Hping3 for DDoS Attacks
NSFOCUS Fuying Lab's Global Threat Hunting System has discovered a new botnet family called "hpingbot" that has been quickly expanding. This cross-platform botnet, built from scratch using the Go programming language, targets both Windows and Linux/IoT environments and supports multiple processor architectures including amd64, mips, arm, and 80386. Unlike derivatives of well-known botnets like Mirai or Gafgyt, hpingbot showcases remarkable innovation by leveraging unconventional resources for stealth and efficiency, such as using the online text storage platform Pastebin for payload distribution and the network testing tool hping3 to execute Distributed Denial of Service (DDoS) attacks. According to the Report, this approach not only enhances its ability to evade detection but also significantly reduces the costs associated with development and operation, making hpingbot a formidable and evolving threat in the digital realm. Hpingbot’s operational strategy is notably distinct, as it employs Pastebin to host and dynamically update malicious payloads, allowing attackers to adjust their load distribution frequently. DDoS Attacks Attack method Monitoring data from Fuying Lab indicates that Pastebin links embedded in the botnet have shifted content multiple times since mid-June 2025, from hosting IP addresses to providing scripts for downloading additional components. This flexibility is paired with the botnet’s reliance on hping3, a versatile command-line tool typically used for network diagnostics, to launch a variety of DDoS attacks such as SYN, UDP, and mixed-mode floods. Interestingly, while the Windows version of hpingbot cannot utilize hping3 for DDoS attacks due to environmental limitations, its persistent activity underscores a broader focus on downloading and executing arbitrary payloads, hinting at intentions beyond mere network disruption.
#gbhackers#EN#2025#Hpingbot#Pastebin#Hping3#DDoS
·gbhackers.com·
New Hpingbot Exploits Pastebin for Payload Delivery and Uses Hping3 for DDoS Attacks
Atomic macOS infostealer adds backdoor for persistent attacks
Atomic macOS infostealer adds backdoor for persistent attacks
Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems. Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems. The new component allows executing arbitrary remote commands, it survives reboots, and permits maintaining control over infected hosts indefinitely. MacPaw's cybersecurity division Moonlock analyzed the backdoor in Atomic malware after a tip from independent researcher g0njxa, a close observer of infostealer activity. "AMOS malware campaigns have already reached over 120 countries, with the United States, France, Italy, the United Kingdom, and Canada among the most affected," the researchers say. "The backdoored version of Atomic macOS Stealer now has the potential to gain full access to thousands of Mac devices worldwide."
#bleepingcomputer#EN#2025#AMOS#Atomic#Backdoor#Info-Stealer#Information-Stealer#macOS
·bleepingcomputer.com·
Atomic macOS infostealer adds backdoor for persistent attacks
NSB Alerts the Significant Cybersecurity Risks in China-Made Mobile Applications
NSB Alerts the Significant Cybersecurity Risks in China-Made Mobile Applications
www.nsb.gov.tw In recent years, the international community has shown growing concerns over cybersecurity issues deriving from China-developed mobile applications (apps). Governments and independent research institutions worldwide have already issued warnings concerning data breaches in users’ communication security. To prevent China from illegally acquiring personal data of Taiwan’s nationals, National Security Bureau (NSB) has reviewed cybersecurity reports from countries around the world and organized relevant information, as per the National Intelligence Work Act. Subsequently, the NSB informed and coordinated with the Ministry of Justice Investigation Bureau (MJIB) and the Criminal Investigation Bureau (CIB) under the National Police Agency to conduct random inspection on several China-developed mobile apps. The results indicate the existence of security issues, including excessive data collection and privacy infringement. The public is advised to exercise caution when choosing mobile apps. The 5 China-developed apps selected for inspection, consisting of rednote, Weibo, TikTok, WeChat, and Baidu Cloud, are widely used by Taiwanese nationals. The MJIB and CIB adopted the Basic Information Security Testing Standard for Mobile Applications v4.0 announced by the Ministry of Digital Affairs, and evaluated the apps against 15 indicators under 5 categories of violation, consisting of personal data collection, excessive permission usage, data transmission and sharing, system information extraction, and biometric data access. All 5 apps have shown serious violations across multiple inspection indicators. Notably, the rednote fails to meet all 15 inspection standards. Weibo and TikTok violate 13 indicators, separately, as well as 10 for WeChat and 9 for Baidu Cloud. These findings suggest that the said China-made apps present cybersecurity risks far beyond the reasonable expectations for data-collection requirement taken by ordinary apps. All 5 China-made apps are found to have security issues of excessively collecting personal data and abusing system permissions. The violations include unauthorized access to facial recognition data, screenshots, clipboard contents, contact lists, and location information. As to the category of system information extraction, all apps were found to collect data such as application lists and device parameters. Furthermore, as far as biometric data are concerned, users’ facial features may be deliberately harvested and stored by those apps. With regard to data transmission and sharing, the said 5 apps were found to send packets back to servers located in China. This type of transmission has raised serious concerns over the potential misuse of personal data by third parties. Under China’s Cybersecurity Law and National Intelligence Law, Chinese enterprises are obligated to turn over user data to competent authorities concerning national security, public security, and intelligence. Such a practice would pose a significant security breach to the privacy of Taiwanese users, which could lead to data collection by specific Chinese agencies. A wide range of countries, such as the US, Canada, the UK, and India, have already publicly issued warnings against or bans on specific China-developed apps. The European Union has also launched investigations under the General Data Protection Regulation framework into suspected data theft involving certain China-made apps. Substantial amount of fines are imposed in those cases. In response to the cybersecurity threats, the Taiwanese government has prohibited the use of Chinese-brand products regarding computer and communications technology within official institutions. Both software and hardware are included. The NSB coordinates with the MJIB and CIB to test the 5 inspected China-developed apps, and confirms that widespread cybersecurity vulnerabilities indeed exist. The NSB strongly advises the public to remain vigilant regarding mobile device security and avoid downloading China-made apps that pose cybersecurity risks, so as to protect personal data privacy and corporate business secrets.
#www.nsb.gov.tw#EN#2025#alert#China#Taiwan#China-developed#apps#risk
·nsb.gov.tw·
NSB Alerts the Significant Cybersecurity Risks in China-Made Mobile Applications
SEC and SolarWinds Seek Settlement in Securities Fraud Case
SEC and SolarWinds Seek Settlement in Securities Fraud Case
Categories: U.S. Federal Law, Cybersecurity, Enforcement In a surprising development in the US Securities and Exchange Commission’s (“SEC’s”) ongoing securities fraud case against SolarWinds Corp. (“SolarWinds”) and its former chief information security officer (“CISO”), Timothy Brown, all three parties have petitioned the judge for a stay pending final settlement. Until the SEC’s four commissioners can vote to approve the settlement, the parties have requested the stay until at least September 12, 2025. As we previously reported, in October 2023, the SEC sued software developer SolarWinds and its former CISO, alleging that SolarWinds misled investors about a series of heavily publicized cyberattacks that targeted the company, culminating in the December 2020 Sunburst malware attack. In addition to alleging securities fraud and violations of SEC reporting provisions, the SEC also alleged that SolarWinds violated Sarbanes-Oxley internal control provisions. In July 2024, U.S. District Judge Paul A. Engelmayer granted SolarWinds’ and the company’s former CISO’s motions to dismiss on most claims. A single set of fraud claims survived concerning alleged misstatements and omissions in a “Security Statement” that was published on SolarWinds’ website. The Security Statement described the company’s various cybersecurity practices, which the SEC alleges painted an incomplete and misleading picture. As recently as June 2025, the SEC indicated it was ready to try the case and filed a motion in opposition to the defendants’ motion to dismiss the remaining claim. On July 2, 2025, all three parties—the SEC, SolarWinds and the company’s former CISO—sent a joint letter to the judge indicating they had reached an agreement in principle to settle the case. Any settlement is subject to approval of the four SEC commissioners. As noted above, the parties’ joint letter requested a stay until at least September 12, 2025 to give the SEC commissioners time to review the matter. Two of the sitting commissioners have been critical of the SEC’s case. It is difficult to speculate what the final terms of settlement may be. Unrelated to this case, with the change in presidential administration, the SEC has dismissed numerous enforcement cases targeting the cryptocurrency industry on the grounds that the cases were imprudently brought. It is possible this philosophy has now been extended to the SolarWinds case, and the SEC may seek to drop the case entirely. It also is possible that this movement by the SEC staff is more in line with other settled cases, and could simply entail reduced charges and remedies acceptable to all parties. The fact that the SEC enforcement staff still needs approval by the SEC commissioners may imply that this latter scenario is more likely. Like any plaintiff, the SEC does from time to time settle enforcement cases after they have entered litigation for any number of reasons.
#hunton#EN#2025#SEC#SolarWinds#Settlement#legal
·hunton.com·
SEC and SolarWinds Seek Settlement in Securities Fraud Case
Ingram Micro outage caused by SafePay ransomware attack
Ingram Micro outage caused by SafePay ransomware attack
An ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack that led to the shutdown of internal systems, BleepingComputer has learned. Update 7/6/25: Added Ingram Micro's confirmation it suffered a ransomware attack below. Also updated ransom note with clearer version. An ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack that led to the shutdown of internal systems, BleepingComputer has learned. Ingram Micro is one of the world's largest business-to-business technology distributors and service providers, offering a range of solutions including hardware, software, cloud services, logistics, and training to resellers and managed service providers worldwide. Since Thursday, Ingram Micro's website and online ordering systems have been down, with the company not disclosing the cause of the issues. BleepingComputer has now learned that the outages are caused by a cyberattack that occurred early Thursday morning, with employees suddenly finding ransom notes created on their devices. The ransom note, seen by BleepingComputer, is associated with the SafePay ransomware operation, which has become one of the more active operations in 2025. It is unclear if devices were actually encrypted in the attack. It should be noted that while the ransom note claims to have stolen a wide variety of information, this is generic language used in all SafePay ransom notes and may not be true for the Ingram Micro attack.
#bleepingcomputer#EN#2025#Cyberattack#Note#Computer#Security#Ransom#MicroIngram#Ransomware#VPN#SafePay
·bleepingcomputer.com·
Ingram Micro outage caused by SafePay ransomware attack
Netflix, Apple, BofA sites hijacked with fake help numbers
Netflix, Apple, BofA sites hijacked with fake help numbers
Don’t trust mystery digits popping up in your search bar Scammers are hijacking the search results of people needing 24/7 support from Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal in an attempt to trick victims into handing over personal or financial info, according to Malwarebytes senior director of research Jérôme Segura. It's a variation of SEO or search poisoning, in which the attackers manipulate the search engine algorithms to promote what is usually a malicious website masquerading as the real deal. In this new scam, the fraudster pays for a sponsored ad on Google and crafts a malicious URL that embeds a fake phone number into the real site's legitimate search functionality. Because the ad resolves to the authentic Netflix domain, reputation-based browser filters, such as Chrome's Safe Browsing, won't flag it as malicious. When someone searches "24/7 Netflix support," for example, the digital thieves' ad pops up as one of the top results, and when the unwitting victim clicks on the URL, it takes them to the help page of the brand's website. The page looks real — because it is — but displays a phone number pre-populated in the search bar on that page. This purports to be the legitimate help-desk phone number, but in reality it's a fake, controlled by the attackers. As the anti-malware security firm explains: This is able to happen because Netflix's search functionality blindly reflects whatever users put in the search query parameter without proper sanitization or validation. This creates a reflected input vulnerability that scammers can exploit.
#theregister#EN#2025#scam#Netflix#BofA#search-poisoning#support
·theregister.com·
Netflix, Apple, BofA sites hijacked with fake help numbers
Hacktivists' Claimed Breach of Nuclear Secrets Debunked
Hacktivists' Claimed Breach of Nuclear Secrets Debunked
Security experts are dismissing a pro-Iranian hacktivist group's claim to have breached Indian nuclear secrets in reprisal for the country's support of Israel. The LulzSec Black group last week claimed to have hacked "the company responsible for Indian nuclear reactors" and to have stolen 80 databases, of which it was now selling 17 databases containing 5.2 gigabytes of data. The group claimed the information detailed the precise location of India's nuclear reactors, numerous chemical laboratories, employee personally identifiable information, industrial and engineering information, precise details of guard shifts and "other sensitive data related to infrastructure." LulzSec Black, named after the notorious hacktivist collective that committed a string of high-profile hits in 2011, claims to be a group of "Palestinian hackers." Previous attacks tied to the group include disruptions targeting Israel, as well as countries that support Israel, including France and Cyprus. Threat intelligence firm Resecurity said the group's nuclear claims vary from being dramatically overstated to outright lies. "This activity is related to the 'pseudo-hacktivist' activities by Iran" designed to provoke fear, uncertainty and doubt, Resecurity told Information Security Media Group. "Many of their statements are overstatements, having no connection to reality. For example, they clearly do not have '80 databases' or even 5.2 GB of data." LulzSec Black's claims arrive amidst U.S. government alerts of the "heightened threat environment" facing critical infrastructure networks and operational technology environments, following Israel launching missile strikes against Iran on June 13 (see: Infrastructure Operators Leaving Control Systems Exposed). While the resulting regional war appears to now be moderated by a fragile ceasefire, many governments are still bracing for reprisals (see: Israel-Iran Ceasefire Holding Despite Fears of Cyberattacks). What LulzSec Black may actually possess is identity and contact information for nuclear specialists, likely stolen from third-party HR firms and recruitment websites such as the CATS Software applicant tracking system and recruitment software, Resecurity said. This can be seen in the long list of various job titles - "security auditor, heavy water unit," "nuclear engineer, analysis lab, tritium gas," and "radiation officer, fuel fabrication, uranium dioxide" - in a sample of dumped data. In that data, tags such as "Top Secret," appear, which Resecurity said likely either reflect clearances held by job candidates, or were added by the hackers themselves "so it will look like it is from some nuclear energy facility."
#databreachtoday#EN#2025#hacktivist#Iran#Israel#LulzSec-Black
·databreachtoday.com·
Hacktivists' Claimed Breach of Nuclear Secrets Debunked
Johnson Controls starts notifying people affected by 2023 breach
Johnson Controls starts notifying people affected by 2023 breach
Building automation giant Johnson Controls is notifying individuals whose data was stolen in a massive ransomware attack that impacted the company's operations worldwide in September 2023. Johnson Controls is a multinational conglomerate that develops and manufactures industrial control systems, security equipment, HVAC systems, and fire safety equipment for buildings. The company employs over 100,000 people through its corporate operations and subsidiaries across 150 countries, reporting sales of $27.4 billion in 2024. As BleepingComputer first reported, Johnson Controls was hit by a ransomware attack in September 2023, following a breach of the company's Asian offices in February 2023 and subsequent lateral movement through its network. "Based on our investigation, we determined that an unauthorized actor accessed certain Johnson Controls systems from February 1, 2023 to September 30, 2023 and took information from those systems," the company says in data breach notification letters filed with California's Attorney General, redacted to conceal what information was stolen in the attack. "After becoming aware of the incident, we terminated the unauthorized actor's access to the affected systems. In addition, we engaged third-party cybersecurity specialists to further investigate and resolve the incident. We also notified law enforcement and publicly disclosed the incident in filings on September 27, 2023; November 13, 2023; and December 14, 2023."
#bleepingcomputer#EN#2025#Breach#Cyberattack#Dark-Angels#Data-Breach#Johnson-Controls#Ransomware
·bleepingcomputer.com·
Johnson Controls starts notifying people affected by 2023 breach
Police warn of SMS scams following prison sentence for criminal who conducted smishing campaign
Police warn of SMS scams following prison sentence for criminal who conducted smishing campaign
A criminal has been sentenced at Inner London Crown Court to over a year in prison for operating a SMS Blaster to conduct a mass smishing campaign against victims with the intent to harvest their personal details to be used in fraud. The sentencing follows an investigation and arrest by the Dedicated Card and Payment Crime Unit (DCPCU), a specialist banking industry sponsored police unit. The conviction was achieved thanks to the officers from the DCPCU working with mobile network operators including BT, Virgin Media O2, VodafoneThree and Sky as well as the National Cyber Security Centre and Ofcom. Between 22 and 27 March 2025 Ruichen Xiong, a student from China had installed an SMS Blaster in his vehicle to commit smishing fraud, targeting tens of thousands of potential victims. Xiong drove around the Greater London area in a Black Honda CR-V. This vehicle was used to hold and transport an SMS Blaster around in the boot. An SMS Blaster allows offenders to send fraudulent text messages to phones within the vicinity of the equipment and acts as an illegitimate phone mast to send messages. The blaster will draw mobile devices away from legitimate networks by appearing to have a stronger signal. By doing so, the criminal is then able to send a text message to the victim's phone. The equipment was programmed to send out SMS messages to victims within a nearby radius of the blaster, designed to look like trustworthy messages from genuine organisations, such as government bodies, where the victim was encouraged to click a link. The link would subsequently take them to a malicious site that was designed to harvest their personal details.
#ukfinance#EN#2025#UK#SMS-Blaster#DCPCU#SMS
·ukfinance.org.uk·
Police warn of SMS scams following prison sentence for criminal who conducted smishing campaign
Call of Duty: WW2 Players Reporting RCE Exploits on PC
Call of Duty: WW2 Players Reporting RCE Exploits on PC
Be careful if you want to play Call of Duty: WW2 through Game Pass on PC – some users have been reporting falling victim to RCE (Remote Command Execution) hacks. The earliest reports of this surfaced just a few hours ago, with players taking to social media to share some concerning stories, while others stressed this has been a problem ‘for years’ in COD WW2.
#insider-gaming.com#EN#2025#exploit#COD#RCE#game
·insider-gaming.com·
Call of Duty: WW2 Players Reporting RCE Exploits on PC
Ransomware gang attacks German charity that feeds starving children
Ransomware gang attacks German charity that feeds starving children
therecord.media - Cybercriminals are extorting the German humanitarian aid group Welthungerhilfe (WHH) for 20 bitcoin. The charity said it will not pay. Deutsche Welthungerhilfe (WHH), the German charity that aims to develop sustainable food supplies in some of the world’s most impoverished countries, has been attacked by a ransomware gang. The charity, whose name literally translates as World Hunger Help, reached 16.4 million people in 2023. It is currently providing emergency aid to people in Gaza, Ukraine, Sudan and other countries and regions where there is an urgent need for food, water, medicine and basic necessities. A spokesperson confirmed to Recorded Future News that WHH had been targeted by a ransomware-as-a-service (RaaS) group which recently listed the charity on its darknet leak site. The cybercriminals are attempting to sell data stolen from the charity for 20 bitcoin, equivalent to around $2.1 million, although it is not clear whether WHH’s computer networks have also been encrypted. The charity said it would not be making an extortion payment to the criminals behind the attack. “The affected systems were shut down immediately and external IT experts who specialise in such cases were called in. We have also further strengthened the security of our systems with additional technical protective measures,” said a WHH spokesperson. “We have informed the relevant data protection authority, consulted our data protection officer and involved the police authorities. We continue to liaise closely with the authorities,” they added. The charity stressed it was “continuing our work in our project countries unchanged. We continue to stand by the side of the people who need our support. In view of the many humanitarian crises worldwide, our work is more important than ever.” The RaaS group that is extorting WHH was previously responsible for attacks on multiple hospitals — including The Ann & Robert H. Lurie Children’s Hospital of Chicago and hospitals run by Prospect Medical Holdings — and last year also attempted to extort the disability nonprofit Easterseals.
#therecord.media#EN#2025#Ransomware#WHH#Germany#Cybercriminals#Charity
·therecord.media·
Ransomware gang attacks German charity that feeds starving children
Data breach reveals Catwatchful 'stalkerware' is spying on thousands of phones
Data breach reveals Catwatchful 'stalkerware' is spying on thousands of phones
The spyware operation's exposed customer email addresses and passwords were shared with data breach notification service Have I Been Pwned. A security vulnerability in a stealthy Android spyware operation called Catwatchful has exposed thousands of its customers, including its administrator. The bug, which was discovered by security researcher Eric Daigle, spilled the spyware app’s full database of email addresses and plaintext passwords that Catwatchful customers use to access the data stolen from the phones of their victims. Catwatchful is spyware masquerading as a child monitoring app that claims to be “invisible and cannot be detected,” all the while uploading the victim’s phone’s private contents to a dashboard viewable by the person who planted the app. The stolen data includes the victims’ photos, messages, and real-time location data. The app can also remotely tap into the live ambient audio from the phone’s microphone and access both front and rear phone cameras. Spyware apps like Catwatchful are banned from the app stores and rely on being downloaded and planted by someone with physical access to a person’s phone. As such, these apps are commonly referred to as “stalkerware” (or spouseware) for their propensity to facilitate non-consensual surveillance of spouses and romantic partners, which is illegal. Catwatchful is the latest example in a growing list of stalkerware operations that have been hacked, breached, or otherwise exposed the data they obtain, and is at least the fifth spyware operation this year to have experienced a data spill. The incident shows that consumer-grade spyware continues to proliferate, despite being prone to shoddy coding and security failings that expose both paying customers and unsuspecting victims to data breaches. According to a copy of the database from early June, which TechCrunch has seen, Catwatchful had email addresses and passwords on more than 62,000 customers and the phone data from 26,000 victims’ devices. Most of the compromised devices were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia (in order of the number of victims). Some of the records date back to 2018, the data shows. The Catwatchful database also revealed the identity of the spyware operation’s administrator, Omar Soca Charcov, a developer based in Uruguay. Charcov opened our emails, but did not respond to our requests for comment sent in both English and Spanish. TechCrunch asked if he was aware of the Catwatchful data breach, and if he plans to disclose the incident to its customers. Without any clear indication that Charcov will disclose the incident, TechCrunch provided a copy of the Catwatchful database to data breach notification service Have I Been Pwned.
#techcrunch#EN#2025#spyware#Android#data-leak#stalkerware
·techcrunch.com·
Data breach reveals Catwatchful 'stalkerware' is spying on thousands of phones
Cyberattack on Brazil tech provider affects reserve accounts of some financial institutions
Cyberattack on Brazil tech provider affects reserve accounts of some financial institutions
BRASILIA, July 2 (Reuters) - Brazil's central bank said on Wednesday that technology services provider C&M Software, which serves financial institutions lacking connectivity infrastructure, had reported a cyberattack on its systems. The bank did not provide further details of the attack, but said in a statement that it ordered C&M to shut down financial institutions' access to the infrastructure it operates. C&M Software commercial director Kamal Zogheib said the company was a direct victim of the cyberattack, which involved the fraudulent use of client credentials in an attempt to access its systems and services. C&M said critical systems remain intact and fully operational, adding that all security protocol measures had been implemented. The company is cooperating with the central bank and the Sao Paulo state police in the ongoing investigation, added Zogheib. Brazilian financial institution BMP told Reuters that it and five other institutions experienced unauthorized access to their reserve accounts during the attack, which took place on Monday. BMP said the affected accounts are held directly at the central bank and used exclusively for interbank settlement, with no impact on client accounts or internal balances.
#reuters#EN#2025#C&M#Software#Brazil#cyberattack
·reuters.com·
Cyberattack on Brazil tech provider affects reserve accounts of some financial institutions