Found 6880 bookmarks
Newest
A Group of Young Cybercriminals Poses the ‘Most Imminent Threat’ of Cyberattacks Right Now
A Group of Young Cybercriminals Poses the ‘Most Imminent Threat’ of Cyberattacks Right Now
The Scattered Spider hacking group has caused chaos among retailers, insurers, and airlines in recent months. Researchers warn that its flexible structure poses challenges for defense. Empty grocery store shelves and grounded planes tend to signal a crisis, whether it’s an extreme weather event, public health crisis, or geopolitical emergency. But these scenes of chaos in recent weeks in the United Kingdom, United States, and Canada were caused instead by financially motivated cyberattacks—seemingly perpetrated by a collective of joyriding teens. A notorious cybercriminal group often called Scattered Spider is known for using social engineering techniques to infiltrate target companies by tricking IT help desk workers into granting them system access. Researchers say that the group seems to gain expertise about the backend systems commonly used by businesses in a particular industry and then uses this knowledge to hit a cluster of targets before moving on to another sector. The group often deploys ransomware or conducts data extortion attacks once it has compromised its victims. Amid increasing pressure from law enforcement last year, which culminated in charges and arrests of five suspects allegedly linked to Scattered Spider, researchers say that the group was less active in 2024 and seemed to be attempting to lay low. The group’s escalating attacks in recent weeks, though, have shown that, far from being defeated, Scattered Spider is emboldened once again. “There are some uniquely skilled actors in Scattered Spider when it comes to social engineering, and they have identified a major gap in our security systems that they’re successfully taking advantage of,” says John Hultquist, chief analyst in Google’s threat intelligence group. “This group is carrying out serious attacks on our critical infrastructure, and I hope that we’re not missing the opportunity to address the most imminent threat.” Though a number of incidents have not been publicly attributed, an overwhelming spree of recent attacks on UK grocery store chains, North American insurers, and international airlines has broadly been tied to Scattered Spider. In May, the UK’s National Crime Agency confirmed it was looking at Scattered Spider in connection to the attacks on British retailers. And the FBI warned in an alert on Friday that it has observed “the cybercriminal group Scattered Spider expanding its targeting to include the airline sector.” The warning came as North American airlines Westjet and Hawaii Airlines said they had been victims of cybercriminal hacks. On Wednesday, the Australian airline Qantas also said it had been hit with a cyberattack, though it was not immediately clear if this attack was part of the group’s campaign.
#wired#EN#2025#Cybercriminals#Scattered-Spider#UK#US
·wired.com·
A Group of Young Cybercriminals Poses the ‘Most Imminent Threat’ of Cyberattacks Right Now
NimDoor crypto-theft macOS malware revives itself when killed
NimDoor crypto-theft macOS malware revives itself when killed
North Korean state-backed hackers have been using a new family of macOS malware called NimDoor in a campaign that targets web3 and cryptocurrency organizations. Researchers analyzing the payloads discovered that the attacker relied on unusual techniques and a previously unseen signal-based persistence mechanism. The attack chain, which involves contacting victims via Telegram and luring them into running a fake Zoom SDK update, delivered via Calendly and email, resembles the one Huntress managed security platform recently linked to BlueNoroff. Advanced macOS malware In a report today, researchers at cybersecurity company SentinelOne says that the threat actor used C++ and Nim-compiled binaries (collectively tracked as NimDoor ) on macOS, which "is a more unusual choice." One of the Nim-compiled binaries, 'installer', is responsible for the initial setup and staging, preparing directories and config paths. It also drops other two binaries - 'GoogIe LLC,' 'CoreKitAgent', onto the victim's system. GoogIe LLC takes over to collect environment data and generate a hex-encoded config file, writing it to a temp path. It sets up a macOS LaunchAgent (com.google.update.plist) for persistence, which re-launches GoogIe LLC at login and stores authentication keys for later stages. The most advanced componentused in the attack is CoreKitAgent, the main payload of the NimDoor framework, which operates as an event-driven binary, using macOS's kqueue mechanism to asynchronously manage execution. It implements a 10-case state machine with a hardcoded state transition table, allowing flexible control flow based on runtime conditions. The most distinctive feature is its signal-based persistence mechanisms, where it installs custom handlers for SIGINT and SIGTERM.
#bleepingcomputer#EN#2025#macOS#Malware#Nim#NimDoor#Persistence#North-Korea
·bleepingcomputer.com·
NimDoor crypto-theft macOS malware revives itself when killed
🇬🇧 Houken seeking a path by living on the edge with zero-days
🇬🇧 Houken seeking a path by living on the edge with zero-days
CERTFR-2025-CTI-009 Date de la dernière version 01 juillet 2025 In September 2024, ANSSI observed an attack campaign seeking initial access to French entities’ networks through the exploitation of several zero-day vulnerabilities on Ivanti Cloud Service Appliance (CSA) devices. French organizations from governmental, telecommunications, media, finance, and transport sectors were impacted. ANSSI’s investigations led to the conclusion that a unique intrusion set was leveraged to conduct this attack campaign. The Agency named this intrusion set « Houken ». Moderately sophisticated, Houken can be characterized by an ambivalent use of resources. While its operators use zero-day vulnerabilities and a sophisticated rootkit, they also leverage a wide number of open-source tools mostly crafted by Chinese-speaking developers. Houken’s attack infrastructure is made up of diverse elements - including commercial VPNs and dedicated servers. ANSSI suspects that the Houken intrusion set is operated by the same threat actor as the intrusion set previously described by MANDIANT as UNC5174. Since 2023, Houken is likely used by an access broker to gain a foothold on targeted systems, which could eventually be sold to entities interested in carrying out deeper post-exploitation activities. Though already documented for its opportunistic exploitation of vulnerabilities on edge devices, the use of zero-days by a threat actor linked to UNC5174 is new to ANSSI’s knowledge. The operators behind the UNC5174 and Houken intrusion sets are likely primarily looking for valuable initial accesses to sell to a state-linked actor seeking insightful intelligence. However, ANSSI also observed one case of data exfiltration as well as an interest in the deployment of cryptominers, indicating straight-forward profit-driven objectives. 2.1 The attack campaign in a nutshell At the beginning of September 2024, an attacker repeatedly exploited vulnerabilities CVE-2024- 8190, CVE-2024-8963, and CVE-2024-9380 vulnerabilities to remotely execute arbitrary code on vulnerable Ivanti Cloud Service Appliance devices [1, 2, 3, 4]. These vulnerabilities were exploited as zero-days, before the publication of the Ivanti security advisory [5, 6, 7]. The attacker opportunistically chained these vulnerabilities to gain initial access on Ivanti CSA appliances, with the intention of: • Obtaining credentials through the execution of a base64 encoded Python script1 . • Ensuring persistence, by: – deploying or creating PHP webshells; – modifying existing PHP scripts to add webshells capabilities; – occasionally installing a kernel module which acts as a rootkit once loaded. Likely in an effort to prevent exploitation by additional unrelated actors, the attacker attempted to self-patch web resources affected by the vulnerabilities. On occasions, and after establishing a foothold on victim networks through the compromise of Ivanti CSA devices, the attacker performed reconnaissance activities and moved laterally. In-depth compromises allowed the attacker to gather additional credentials and deploy further persistence mechanisms. Most recent activities around this attack campaign were observed at the end of November 2024 by ANSSI. Several incidents affecting French entities, and linked to this attack campaign, were observed by ANSSI at the end of 2024. The campaign targeted french organizations from governmental, telecommunications, media, finance, and transport sectors. In three cases, the compromise of Ivanti CSA devices was followed by lateral movements toward the victims’ internal information systems. The malicious actor also collected credentials and attempted to establish a persistence on these compromised networks. Attacker’s operational activities time zone was UTC+8, which aligns with China Standard Time (CST). ANSSI provided significant support to these entities, a
#ANSSI#EN#2025#rapport#Houken#Ivanti#CVE-2024-#8190#CVE-2024-8963#CVE-2024-9380#France#China
·cert.ssi.gouv.fr·
🇬🇧 Houken seeking a path by living on the edge with zero-days
Cisco warns that Unified CM has hardcoded root SSH credentials
Cisco warns that Unified CM has hardcoded root SSH credentials
Cisco has removed a backdoor account from its Unified Communications Manager (Unified CM), which would have allowed remote attackers to log in to unpatched devices with root privileges. Cisco Unified Communications Manager (CUCM), formerly known as Cisco CallManager, serves as the central control system for Cisco's IP telephony systems, handling call routing, device management, and telephony features. The vulnerability (tracked as CVE-2025-20309) was rated as maximum severity, and it is caused by static user credentials for the root account, which were intended for use during development and testing.
#bleepingcomputer#EN#CVE-2025-20309#2025#CUCM#CallManager#Unified#Security#Password#Root#Hardcoded#Communications#Cisco
·bleepingcomputer.com·
Cisco warns that Unified CM has hardcoded root SSH credentials
Spain arrests hackers who targeted politicians and journalists
Spain arrests hackers who targeted politicians and journalists
The Spanish police have arrested two individuals in the province of Las Palmas for their alleged involvement in cybercriminal activity, including data theft from the country's government. The duo has been described as a "serious threat to national security" and focused their attacks on high-ranking state officials as well as journalists. They leaked samples of the stolen data online to build notoriety and inflate the selling price. "The investigation began when agents detected the leakage of personal data affecting high-level institutions of the State across various mass communication channels and social networks," reads the police announcement. "These sensitive data were directly linked to politicians, members of the central and regional governments, and media professionals." The first suspect is believed to have specialized in data exfiltration, while the second managed the financial part by selling access to databases and credentials, and holding the cryptocurrency wallet that received the funds. The two were arrested yesterday at their homes. During the raids, the police confiscated a large number of electronic devices that may lead to more incriminating evidence, buyers, or co-conspirators.
#bleepingcomputer#EN#busted#Arrest#Spain#Computer#Police#Journalist#Data#Government#Theft
·bleepingcomputer.com·
Spain arrests hackers who targeted politicians and journalists
NetScaler Critical Security Updates for CVE-2025-6543 and CVE-2025-5777
NetScaler Critical Security Updates for CVE-2025-6543 and CVE-2025-5777
June 26, 2025 by Anil Shetty netscaler.com Over the past two weeks, Cloud Software Group has released builds to address CVE-2025-6543 and CVE 2025-5777, which affect NetScaler ADC and NetScaler Gateway if they are configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR an Authentication Authorization and Auditing (“AAA”) virtual server. While both of the vulnerabilities involve the same modules, the exposures differ. CVE 2025-6543, if exploited, could lead to a memory overflow vulnerability, resulting in unintended control flow and Denial of Service. CVE 2025-5777 arises from insufficient input validation that leads to memory overread. Some commentators have drawn comparisons between CVE 2025-5777 and CVE 2023-4966. While the vulnerabilities share some characteristics, Cloud Software Group has found no evidence to indicate that they are related. The description of the vulnerability on the NIST website for CVE-2025-5777 initially erroneously identified NetScaler Management Interface as implicated in the vulnerability, but they subsequently updated the description to exclude it. The most accurate description of CVE 2025-5777 can be found in the Citrix security bulletin published on June 17, 2025. Through our internal review process and by collaborating with customers, we identified the affected NetScaler ADC and NetScaler Gateway builds. CVE 2025-5777 only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group upgrades Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates. Please refer to the security bulletin for more details. Citrix has signed CISA’s Secure by Design pledge, reinforcing our commitment to building security into every stage of the product lifecycle. As part of this pledge, we prioritize security by default, transparency, and accountability in how we manage vulnerabilities. Our Product Security Incident Response Team (PSIRT) follows industry standards to assess, address, and disclose vulnerabilities responsibly. We work closely with security researchers, government agencies and customers to ensure timely fixes and clear communication. Learn more about our responsible disclosure process at Citrix Vulnerability Response. Additionally, there’s an issue related to authentication that you may observe after upgrading NetScaler to build 14.1 47.46 or 13.1 59.19. This can manifest as a “broken” login page, especially when using authentication methods like DUO configurations based on Radius authentication, SAML, or any Identity Provider (IDP) that relies on custom scripts. This behavior can be attributed to the Content Security Policy (CSP) header being enabled by default in this NetScaler build, especially when CSP was not enabled prior to the upgrade. For more information on this issue please refer to the KB article.
#netscaler#EN#2025#CVE-2025-6543#CVE-2025-5777#Critical#vulnerabilty
·netscaler.com·
NetScaler Critical Security Updates for CVE-2025-6543 and CVE-2025-5777
FBI Warning on IoT Devices: How to Tell If You Are Impacted
FBI Warning on IoT Devices: How to Tell If You Are Impacted
On June 5th, the FBI released a PSA titled “Home Internet Connected Devices Facilitate Criminal Activity.” This PSA largely references devices impacted by the latest generation of BADBOX malware (as named by HUMAN’s Satori Threat Intelligence and Research team) that EFF researchers also encountered primarily on Android TV set-top boxes. However, the malware has impacted tablets, digital projectors, aftermarket vehicle infotainment units, picture frames, and other types of IoT devices. One goal of this malware is to create a network proxy on the devices of unsuspecting buyers, potentially making them hubs for various potential criminal activities, putting the owners of these devices at risk from authorities. This malware is particularly insidious, coming pre-installed out of the box from major online retailers such as Amazon and AliExpress. If you search “Android TV Box” on Amazon right now, many of the same models that have been impacted are still up being sold by sellers of opaque origins. Facilitating the sale of these devices even led us to write an open letter to the FTC, urging them to take action on resellers. The FBI listed some indicators of compromise (IoCs) in the PSA for consumers to tell if they were impacted. But the average person isn’t running network detection infrastructure in their homes, and cannot hope to understand what IoCs can be used to determine if their devices generate “unexplained or suspicious Internet traffic.” Here, we will attempt to help give more comprehensive background information about these IoCs. If you find any of these on devices you own, then we encourage you to follow through by contacting the FBI's Internet Crime Complaint Center (IC3) at www.ic3.gov. The FBI lists these IoC: The presence of suspicious marketplaces where apps are downloaded. Requiring Google Play Protect settings to be disabled. Generic TV streaming devices advertised as unlocked or capable of accessing free content. IoT devices advertised from unrecognizable brands. Android devices that are not Play Protect certified. Unexplained or suspicious Internet traffic. The following adds context to above, as well as some added IoCs we have seen from our research.
#eff#EN#2025#guide#IoCs#FBI#BADBOX
·eff.org·
FBI Warning on IoT Devices: How to Tell If You Are Impacted
Iran-linked hackers threaten to release Trump aides' emails
Iran-linked hackers threaten to release Trump aides' emails
  • Hackers say they might try to sell emails from Trump aides Group leaked documents from Republican president's campaign last year US has said group known as Robert works for Iran's Revolutionary Guards WASHINGTON, June 30 (Reuters) - Iran-linked hackers have threatened to disclose more emails stolen from U.S. President Donald Trump's circle, after distributing a prior batch to the media ahead of the 2024 U.S. election. In online chats with Reuters on Sunday and Monday, the hackers, who go by the pseudonym Robert, said they had roughly 100 gigabytes of emails from the accounts of White House Chief of Staff Susie Wiles, Trump lawyer Lindsey Halligan, Trump adviser Roger Stone and porn star-turned-Trump antagonist Stormy Daniels.
#reuters#EN#2025#Iran#US#Trump#leak#threaten#emails
·reuters.com·
Iran-linked hackers threaten to release Trump aides' emails
ICC detects and contains new sophisticated cyber security incident
ICC detects and contains new sophisticated cyber security incident
Press release: 30 June 2025 Late last week, the International Criminal Court (“ICC” or “the Court”) detected a new, sophisticated and targeted cyber security incident, which has now been contained. This incident, the second of this type against the ICC in recent years, was swiftly discovered, confirmed and contained, through the Court’s alert and response mechanisms. A Court-wide impact analysis is being carried out, and steps are already being taken to mitigate any effects of the incident. The Court considers it essential to inform the public and its States Parties about such incidents as well as efforts to address them, and calls for continued support in the face of such challenges. Such support ensures the Court’s capacity to implement its critical mandate of justice and accountability, which is a shared responsibility of all States Parties.
#icc-cpi.int#EN#2025#press-release#ICC#International-Criminal-Court#CYBERINCIDENT
·icc-cpi.int·
ICC detects and contains new sophisticated cyber security incident
Treasury Sanctions Global Bulletproof Hosting Service Enabling Cybercriminals and Technology Theft
Treasury Sanctions Global Bulletproof Hosting Service Enabling Cybercriminals and Technology Theft
July 1, 2025 WASHINGTON Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is designating Aeza Group, a bulletproof hosting (BPH) services provider, for its role in supporting cybercriminal activity targeting victims in the United States and around the world. BPH service providers sell access to specialized servers and other computer infrastructure designed to help cybercriminals like ransomware actors, personal information stealers, and drug vendors evade detection and resist law enforcement attempts to disrupt their malicious activities. OFAC is also designating two affiliated companies and four individuals who are Aeza Group leaders. Finally, in coordination with the United Kingdom’s (UK) National Crime Agency (NCA), OFAC is designating an Aeza Group front company in the UK. “Cybercriminals continue to rely heavily on BPH service providers like Aeza Group to facilitate disruptive ransomware attacks, steal U.S. technology, and sell black-market drugs,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith. “Treasury, in close coordination with the UK and our other international partners, remains resolved to expose the critical nodes, infrastructure, and individuals that underpin this criminal ecosystem.” Today’s action is being taken pursuant to Executive Order (E.O.) 13694, as further amended, and builds on OFAC’s February action targeting ZServers BPH. Today’s action also reflects Treasury’s continued work to combat cybercrime and degrade the support networks that enable malicious actors to target U.S. citizens, technology, and critical industries. AEZA GROUP: KEY TECHNICAL SUPPORT FOR RANSOMWARE GROUPS, CYBERCRIME, AND ILLICIT DRUGS Aeza Group, headquartered in St. Petersburg, Russia, has provided BPH services to ransomware and malware groups such as the Meduza and Lumma infostealer operators, who have used the hosting service to target the U.S. defense industrial base and technology companies, among other victims globally. Infostealers are often used to harvest personal identifying information, passwords, and other sensitive credentials from compromised victims. These credentials are then often sold on darknet markets for profit, making infostealer operators a key piece of the cybercrime ecosystem. Aeza Group has also hosted BianLian ransomware, RedLine infostealer panels, and BlackSprut, a Russian darknet marketplace for illicit drugs. Darknet drug marketplaces allow for the anonymous purchase and shipment of narcotics over the internet, making them a present and increasing contributor to drug trafficking to the United States and worldwide. According to Treasury’s Financial Crimes Enforcement Network (FinCEN) and its supplemental advisory on fentanyl, criminal organizations use darknet marketplaces to sell precursor chemicals and manufacturing equipment used for the synthesis of fentanyl and other synthetic opioids, as well as to traffic fentanyl and other narcotics into the United States. OFAC is designating Aeza Group pursuant to E.O. 13694, as further amended by E.O. 14144 and E.O. 14306, for being responsible or complicit in, or having engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in part, outside the United States that are reasonably likely to result in, or have materially contributed to, a threat to the national security, foreign policy, or economic health or financial stability of the United States, and that have the purpose of or involve causing a misappropriation of funds or economic resources, intellectual property, proprietary or business confidential information, personal identifiers, or financial information for commercial or competitive advantage or private financial gain. Aeza International Ltd. is the United Kingdom branch of Aeza Group. Aeza Group uses Aeza International to lease IP addresses to cybercriminals, including Meduza infostealer operators. Aeza Logistic LLC and Cloud Solutions LLC are Russia-based subsidiaries that are 100% owned by Aeza Group. Servers BPH. 
#treasury.gov#EN#2025#US#Treasury#Sanctions#Bulletproof#Hosting#Service#Aeza#AezaGroup
·home.treasury.gov·
Treasury Sanctions Global Bulletproof Hosting Service Enabling Cybercriminals and Technology Theft
QANTAS CYBER INCIDENT
QANTAS CYBER INCIDENT
Qantas can confirm that a cyber incident has occurred in one of its contact centres impacting customer data. The system is now contained. We understand this will be concerning for customers. We are currently contacting customers to make them aware of the incident, apologise and provide details on the support available. The incident occurred when a cyber criminal targeted a call centre and gained access to a third party customer servicing platform. There is no impact to Qantas’ operations or the safety of the airline. What we know On Monday, we detected unusual activity on a third party platform used by a Qantas airline contact centre. We then took immediate steps and contained the system. We can confirm all Qantas systems remain secure. There are 6 million customers that have service records in this platform. We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant. An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers. Importantly, credit card details, personal financial information and passport details are not held in this system. No frequent flyer accounts were compromised nor have passwords, PIN numbers or log in details been accessed. Actions we are taking While we conduct the investigation, we are putting additional security measures in place to further restrict access and strengthen system monitoring and detection. Qantas has notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner. Given the criminal nature of this incident, the Australian Federal Police has also been notified. We will continue to support these agencies as the investigation continues. Qantas has established a dedicated customer support line as well as a dedicated page on qantas.com to provide the latest information to customers. We will continue to share updates including via our website and social channels. Qantas Group Chief Executive Officer Vanessa Hudson said: “We sincerely apologise to our customers and we recognise the uncertainty this will cause. Our customers trust us with their personal information and we take that responsibility seriously. “We are contacting our customers today and our focus is on providing them with the necessary support. “We are working closely with the Federal Government’s National Cyber Security Coordinator, the Australian Cyber Security Centre and independent specialised cyber security experts.”
#qantasnewsroom#EN#2025#QANTAS#CYBERINCIDENT#Airline
·qantasnewsroom.com.au·
QANTAS CYBER INCIDENT
Chrome 0-Day Flaw Exploited in the Wild to Execute Arbitrary Code
Chrome 0-Day Flaw Exploited in the Wild to Execute Arbitrary Code
Google has issued an urgent security update for its Chrome browser, addressing a critical zero-day vulnerability that is being actively exploited by attackers. The flaw, tracked as CVE-2025-6554, is a type confusion vulnerability in Chrome’s V8 JavaScript engine, which underpins the browser’s ability to process web content across Windows, macOS, and Linux platforms. The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG) on June 25, 2025. According to Google, attackers have already developed and deployed exploits targeting this flaw in the wild, prompting the company to act quickly.
#gbhackers#EN#2025#Chrome#0-Day#Flaw#Exploited#vulnerability#CVE-2025-6554
·gbhackers.com·
Chrome 0-Day Flaw Exploited in the Wild to Execute Arbitrary Code
Vulnerability Advisory: Sudo chroot Elevation of Privilege
Vulnerability Advisory: Sudo chroot Elevation of Privilege
The Sudo utility is a privileged command-line tool installed on Linux systems that allows a permitted user to execute a command as the superuser, or another user, as specified by the security policy. It is commonly used to implement the least privilege model by delegating administrative tasks that require elevated privileges without sharing the root password, while also creating an audit trail in the system log. The Stratascale Cyber Research Unit (CRU) team discovered two local privilege vulnerabilities in Sudo. These vulnerabilities can result in the escalation of privileges to root on the impacted system. The research focused on infrequently used command-line options. This blog explores how the Sudo chroot option can be leveraged by any local user to elevate privileges to root, even if no Sudo rules are defined for that user. The default Sudo configuration is vulnerable. Although the vulnerability involves the Sudo chroot feature, it does not require any Sudo rules to be defined for the user. As a result, any local unprivileged user could potentially escalate privileges to root if a vulnerable version is installed. The following versions are known to be vulnerable. Note: Not all versions within the range have been tested. Stable 1.9.14 - 1.9.17 Note: The legacy versions of Sudo (currently 1.8.32) are not vulnerable because the chroot feature does not exist. Exploitation has been verified on: Ubuntu 24.04.1; Sudo 1.9.15p5, Sudo 1.9.16p2 Fedora 41 Server; Sudo 1.9.15p5
#stratascale#EN#2025#sudo#vulnerability#chroot#CVE-2025-32463
·stratascale.com·
Vulnerability Advisory: Sudo chroot Elevation of Privilege
The People's Liberation Army Cyberspace Force
The People's Liberation Army Cyberspace Force
Established in 2024, the People's Liberation Army Cyberspace Force merges cyber and electronic warfare to disrupt, deter, and dominate in future conflicts. With the launch of its Cyberspace Force, China has elevated the digital domain to a theatre of war. The Cyberspace Force of the People’s Liberation Army (PLA) is China’s newest military branch, launched on 19 April 2024. Based in Haidian District, Beijing, and with five antennas across the country, it operates under the direct authority of the Central Military Commission (CMC). Its creation followed the dissolution of the Strategic Support Force (SSF) and shows a broader shift in China’s approach to modern warfare. The force is tasked with both defending and attacking in the cyber domain. Additionally, it covers: Network security Electronic warfare Information dominance The Cyberspace Force plays a central role in China’s preparation for future conflicts, particularly in what the PLA calls “informatised warfare”, a doctrine focused on controlling the flow of information across all domains. By placing the unit directly under the CMC, China ensures centralised control, operational discipline, and strategic reach in cyberspace. On 19 April 2024, the CMC formally dissolved the SSF and created three independent forces: Cyberspace Force Aerospace Force * Information Support Force This marked the first time China designated cyberspace as an independent warfare domain with dedicated command, personnel, and budgetary autonomy. The Cyberspace Force now operates as a Corps Leader-grade service, headquartered in Beijing. It is led by Lieutenant General Zhang Minghua, with Lieutenant General Han Xiaodong serving as its political commissar. Its emergence reflects a shift from fragmented technical capabilities to centralised, strategic integration of cyber warfare into China’s military planning.
#greydynamics#EN#2025#China#army#SSF#Cyberspace#Force
·greydynamics.com·
The People's Liberation Army Cyberspace Force
Unveiling RIFT: Enhancing Rust malware analysis through pattern matching
Unveiling RIFT: Enhancing Rust malware analysis through pattern matching
Today, Microsoft Threat Intelligence Center is excited to announce the release of RIFT, a tool designed to assist malware analysts automate the identification of attacker-written code within Rust binaries. Known for its efficiency, type safety, and robust memory safety, Rust has increasingly become a tool for creating malware, especially among financially motivated groups and nation-state entities. This shift has introduced new challenges for malware analysts as the unique characteristics of Rust binaries make static analysis more complex. One of the primary challenges in reverse engineering malware developed with Rust lies in its layers of abstraction added through features such as memory safety and concurrency handling, making it more challenging to identify the behavior and intent of the malware. Compared to traditional languages, Rust binaries are often larger and more complex due to the incorporation of extensive library code. Consequently, reverse engineers must undertake the demanding task of distinguishing attacker-written code from standard library code, necessitating advanced expertise and specialized tools. To address these pressing challenges, Microsoft Threat Intelligence Center has developed RIFT. RIFT underscores the growing need for specialized tools as cyber threat actors continue to leverage Rust’s features to evade detection and complicate analysis. The adoption of Rust by threat actors is a stark reminder of the ever-changing tactics employed in the cyber domain, and the increasing sophistication required to combat these threats effectively. In this blog post, we explore how threat actors are increasingly adopting Rust for malware development due to its versatility and how RIFT can be used to combat this threat by enhancing the efficiency and accuracy of Rust-based malware analysis.
#microsoft#EN#2025#tool#Rust#annouce#RIFT#binaries
·microsoft.com·
Unveiling RIFT: Enhancing Rust malware analysis through pattern matching
Swiss government affected by cyberattack on health foundation
Swiss government affected by cyberattack on health foundation
Switzerland says a ransomware attack on the non-profit health foundation Radix that involved data being stolen and encrypted had also affected the federal administration. The Radix Foundation, a not-for-profit organisation active in the field of health promotion, has been the victim of a ransomware attack, it was confirmed on Monday. The criminals stole and encrypted data, which they then published on the darknet. The foundation contacted the National Cybersecurity Centre (NCSC) after carrying out an initial analysis of the situation, it announced on Monday. Radix’s clientele also includes various administrative units of the federal administration. The aim is to determine which services and data are actually affected by the cyber attack. At no time were the hackers able to penetrate the systems of the federal administration, as the Radix Foundation itself does not have such direct access, the centre pointed out.
#swissinfo#EN#Switzerland#ransomware#attack#non-profit#encrypted#federal#administration
·swissinfo.ch·
Swiss government affected by cyberattack on health foundation
Dozens of pro-Indy accounts go dark after Israeli strikes
Dozens of pro-Indy accounts go dark after Israeli strikes
On 12 June 2025, dozens of anonymous X (formerly Twitter) accounts advocating Scottish independence abruptly went silent. Many had posted hundreds of times per week, often using pro-independence slogans, anti-UK messaging, and identity cues like “NHS nurse” or “Glaswegian socialist.” Their sudden disappearance coincided with a major Israeli airstrike campaign against Iranian military and cyber infrastructure. Within days, Iran had suffered severe power outages, fuel shortages, and an internet blackout affecting 95 percent of national connectivity. What appeared at first glance to be a curious coincidence has since emerged as the most visible rupture to date in a long-running foreign influence operation.
#ukdefencejournal#EN#2025#Iran#Uk#X#influence#operation#twitter#accounts#Scotland
·ukdefencejournal.org.uk·
Dozens of pro-Indy accounts go dark after Israeli strikes
Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
A cartel affiliate notified an FBI agent about a hacker who infiltrated cameras and phones to track an FBI official’s meetings, the DOJ inspector general said. A hacker working on behalf of the Sinaloa drug cartel infiltrated cameras and phones to track an FBI official in Mexico investigating the drug lord El Chapo, then used data from that surveillance to kill and intimidate potential sources and witnesses the agent was meeting with, a Justice Department watchdog report revealed. An FBI case agent learned about the hacker from someone affiliated with the cartel in 2018, according to the inspector general report released Friday. “That individual said the cartel had hired a ‘hacker’ who offered a menu of services related to exploiting mobile phones and other electronic devices,” the report states. “According to the individual, the hacker had observed people going in and out of the United States Embassy in Mexico City and identified ‘people of interest’ for the cartel, including the FBI Assistant Legal Attache (ALA T), and then was able to use the ALA T’s mobile phone number to obtain calls made and received, as well as geolocation data, associated with the ALAT’s phone.
#cyberscoop#EN#2025#Sinaloa#cartel#hacker#FBI#US#El-Chapo#hired
·cyberscoop.com·
Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
Norwegian Dam Valve Forced Open for Hours in Cyberattack
Norwegian Dam Valve Forced Open for Hours in Cyberattack
Unidentified hackers breached a Norwegian dam's control system in April, opening its valve for hours due to a weak password. In a concerning incident this April, unidentified hackers managed to breach the control systems of a Norwegian dam. Reportedly, hackers breached the control systems of a Norwegian dam, causing its water valve to open fully. The incident occurred at the Lake Risevatnet dam, situated near the city of Svelgen in Southwest Norway. The valve remained open for four hours before the unauthorized activity was detected. According to the Norwegian energy news outlet, Energiteknikk, the hack did not pose a danger, as the water flow barely exceeded the dam’s minimum requirement. The valve released an additional 497 litres per second, but officials noted that the riverbed could handle a much larger volume, up to 20,000 litres per second. The incident was discovered on April 7 by the dam’s owner, Breivika Eiendom. Norwegian authorities, including NSM (National Security Authority), NVE (Norwegian Water Resources and Energy Directorate), and Kripos (a special agency of the Norwegian Police Service), were alerted on April 10, and an investigation is now underway. Officials suspect the breach occurred because the valve’s web-accessible control panel was protected by a weak password. Breivika technical manager Bjarte Steinhovden speculated this was the likely vulnerability. The initial point of entry allowed attackers to bypass authentication controls and gain direct access to the operational technology (OT) environment.
#hackread#EN#2025#Norway#IoT#Dam#Cyberattack
·hackread.com·
Norwegian Dam Valve Forced Open for Hours in Cyberattack
50 Customers of French Bank Hit by Insider SIM Swap Scam
50 Customers of French Bank Hit by Insider SIM Swap Scam
An intern at Société Générale is believed to have facilitated the theft of more than EUR1mn (USD1.15mn) from the bank's customers. A business student who was interning at Société Générale, a leading multinational bank headquartered in France, is believed to have fed information to SIM swappers who stole from 50 customers of the bank, reports Le Parisien. The intern’s arrest prompted officers from France’s fraud police (La Brigade des Fraudes aux Moyens de Paiement, BFMP) to identify a series of alleged accomplices, including one person who specialized in taking control of the phone service of victims. Using information provided by the intern, the SIM swapper would call the comms providers that provided service to customers of Société Générale. He would pretend to be the legitimate phone user, and that his phone had been lost so a replacement SIM would be issued to him. Having taken control of the victim’s phone service, the SIM swapper would then receive the one-time passwords sent to those numbers by Société Générale. With these codes, the gang were able to withdraw money from the bank accounts of victims. In total, it is believed that more than EUR1mn (USD1.15mn) was stolen this way.
#commsrisk#EN#2025#Société-Générale#insider#SIM-swapping
·commsrisk.com·
50 Customers of French Bank Hit by Insider SIM Swap Scam
Hide Your RDP: Password Spray Leads to RansomHub Deployment
Hide Your RDP: Password Spray Leads to RansomHub Deployment
  • Initial access was via a password spray attack against an exposed RDP server, targeting numerous accounts over a four-hour period. Mimikatz and Nirsoft were used to harvest credentials, with evidence of LSASS memory access. Discovery was accomplished using living-off-the-land binaries as well as Advanced IP Scanner and NetScan. Rclone was used to exfiltrate data to a remote server using SFTP. The threat actor deployed RansomHub ransomware network wide, which spread over SMB and was executed using remote services.
#thedfirreport#EN#2025#incident-response#report#RDP#password-spray#RansomHub
·thedfirreport.com·
Hide Your RDP: Password Spray Leads to RansomHub Deployment
DeepSeek faces ban from Apple, Google app stores in Germany | Reuters
DeepSeek faces ban from Apple, Google app stores in Germany | Reuters
Germany's data protection commissioner has asked Apple and Google to remove Chinese AI startup DeepSeek from their app stores in the country due to concerns about data protection, following a similar crackdown elsewhere. Germany says DeepSeek illegally transfers user data to China Apple and Google must now review Germany's request * Italy blocked DeepSeek app earlier this year FRANKFURT, June 27 (Reuters) - Germany's data protection commissioner has asked Apple (AAPL.O), opens new tab and Google (GOOGL.O), opens new tab to remove Chinese AI startup DeepSeek from their app stores in the country due to concerns about data protection, following a similar crackdown elsewhere. Commissioner Meike Kamp said in a statement on Friday that she had made the request because DeepSeek illegally transfers users' personal data to China. The two U.S. tech giants must now review the request promptly and decide whether to block the app in Germany, she added, though her office has not set a precise timeframe. Google said it had received the notice and was reviewing it. DeepSeek did not respond to a request for comment. Apple was not immediately available for comment. According to its own privacy policy, opens new tab, DeepSeek stores numerous pieces of personal data, such as requests to its AI programme or uploaded files, on computers in China. "DeepSeek has not been able to provide my agency with convincing evidence that German users' data is protected in China to a level equivalent to that in the European Union," Kamp said. "Chinese authorities have far-reaching access rights to personal data within the sphere of influence of Chinese companies," she added.
#reuters#EN#2025#Germany#Italy#DeepSeek#legal#China
·reuters.com·
DeepSeek faces ban from Apple, Google app stores in Germany | Reuters
Denmark to tackle deepfakes by giving people copyright to their own features
Denmark to tackle deepfakes by giving people copyright to their own features
The Danish government is to clamp down on the creation and dissemination of AI-generated deepfakes by changing copyright law to ensure that everybody has the right to their own body, facial features and voice. The Danish government said on Thursday it would strengthen protection against digital imitations of people’s identities with what it believes to be the first law of its kind in Europe. Having secured broad cross-party agreement, the department of culture plans to submit a proposal to amend the current law for consultation before the summer recess and then submit the amendment in the autumn. It defines a deepfake as a very realistic digital representation of a person, including their appearance and voice. The Danish culture minister, Jakob Engel-Schmidt, said he hoped the bill before parliament would send an “unequivocal message” that everybody had the right to the way they looked and sounded. He told the Guardian: “In the bill we agree and are sending an unequivocal message that everybody has the right to their own body, their own voice and their own facial features, which is apparently not how the current law is protecting people against generative AI.” He added: “Human beings can be run through the digital copy machine and be misused for all sorts of purposes and I’m not willing to accept that.” The move, which is believed to have the backing of nine in 10 MPs, comes amid rapidly developing AI technology that has made it easier than ever to create a convincing fake image, video or sound to mimic the features of another person. The changes to Danish copyright law will, once approved, theoretically give people in Denmark the right to demand that online platforms remove such content if it is shared without consent.
#theguardian#EN#2025#Denmark#AI-generated#deepfakes#legal#copyright
·theguardian.com·
Denmark to tackle deepfakes by giving people copyright to their own features
Hawaiian Airlines discloses cyberattack, flights not affected
Hawaiian Airlines discloses cyberattack, flights not affected
Hawaiian Airlines, the tenth-largest commercial airline in the United States, is investigating a cyberattack that has disrupted access to some of its systems. With over 7,000 employees, 235 average daily flights, and a fleet of over 60 airplanes, Hawaiian Airlines connects Hawai'i with 15 U.S. mainland cities and 10 other destinations across Asia and the Pacific. The airline stated in a statement issued on Thursday morning that the incident didn't affect flight safety and has already contacted relevant authorities to assist in investigating the attack. Hawaiian Airlines also hired external cybersecurity experts to asses the attack's impact and help restore affected systems. "Hawaiian Airlines is addressing a cybersecurity event that has affected some of our IT systems. Our highest priority is the safety and security of our guests and employees. We have taken steps to safeguard our operations, and our flights are operating safely and as scheduled," the airline said. "Upon learning of this incident, we engaged the appropriate authorities and experts to assist in our investigation and remediation efforts. We are currently working toward an orderly restoration and will provide updates as more information is available." A banner on the airline's website notes that the incident hasn't impacted flights in any way and that travel hasn't been affected. The same alert is also displayed on the Alaska Airlines website, which is owned by Alaska Air Group, a company that acquired Hawaiian Airlines last year.
#bleepingcomputer#EN#2025#Airline#Cyberattack#Hawaii#Hawaiian-Airlines#USA
·bleepingcomputer.com·
Hawaiian Airlines discloses cyberattack, flights not affected
Pre-Auth Flaw in MongoDB Server Allows Attackers to Cause DoS
Pre-Auth Flaw in MongoDB Server Allows Attackers to Cause DoS
A critical pre-authentication vulnerability (CVE-2025-6709) in MongoDB Server enables unauthenticated attackers to trigger denial-of-service (DoS) conditions by exploiting improper input validation in OIDC authentication. The flaw allows malicious actors to crash database servers by sending specially crafted JSON payloads containing specific date values, causing invariant failures and server crashes. This vulnerability affects MongoDB Server versions before 7.0.17, 8.0.5, and 6.0.21 (with authentication required for 6.x exploitation). Vulnerability Analysis Attackers can reproduce the exploit using MongoDB’s mongo shell to send malicious JSON payloads targeting the OIDC authentication mechanism. The server fails to properly validate date values in JSON input, leading to: Complete server crashes without authentication in v7.0 and v8.0 deployments Post-authentication DoS in v6.0 environments Critical disruption of database operations through invariant failures The vulnerability carries a CVSS score of 7.5 (High) due to its network-based attack vector, low attack complexity, and high availability impact. MongoDB has classified this as CWE-20 (Improper Input Validation). Mitigation and Updates Administrators should immediately upgrade to patched versions: MongoDB v6.0 → 6.0.21 or later MongoDB v7.0 → 7.0.17 or later MongoDB v8.0 → 8.0.5 or later For environments where immediate patching isn’t feasible, consider disabling OIDC authentication until updates are applied.
#gbhackers#EN#2025#vulnerability#MongoDB#DoS#CVE-2025-6709
·gbhackers.com·
Pre-Auth Flaw in MongoDB Server Allows Attackers to Cause DoS
New Guidance Released for Reducing Memory-Related Vulnerabilities
New Guidance Released for Reducing Memory-Related Vulnerabilities
This joint guide highlights important considerations for organizations seeking to transition toward more secure software development practices Today, CISA, in partnership with the National Security Agency (NSA), released a joint guide on reducing memory-related vulnerabilities in modern software development. Memory safety vulnerabilities pose serious risks to national security and critical infrastructure. Adopting memory safe languages (MSLs) offers the most comprehensive mitigation against this class of vulnerabilities and provides built-in safeguards that enhance security by design. CISA’s Secure by Design program advocates for integrating proactive security measures throughout the software development lifecycle, with MSLs as a central component. Consistent support for MSLs underscores their benefits for national security and resilience by reducing exploitable flaws before products reach users. This joint guide outlines key challenges to adopting MSLs, offers practical approaches for overcoming them, and highlights important considerations for organizations seeking to transition toward more secure software development practices. Organizations in academia, U.S. government, and private industry are encouraged to review this guidance and support adoption of MSLs. In addition to the product published today, CISA and the NSA previously released the joint guide, The Case for Memory Safe Roadmaps. To learn more about memory safety, visit Secure by Design on CISA.gov. Please share your thoughts with us via our anonymous product survey; we welcome your feedback.
#cisa#EN#2025#Guidance#NSA#Memory-Related#Vulnerabilities#development
·cisa.gov·
New Guidance Released for Reducing Memory-Related Vulnerabilities
Scale AI exposed sensitive data about clients like Meta and xAI in public Google Docs, BI finds
Scale AI exposed sensitive data about clients like Meta and xAI in public Google Docs, BI finds
As Scale AI seeks to reassure customers that their data is secure following Meta's $14.3 billion investment, leaked files and the startup's own contractors indicate it has some serious security holes. Scale AI routinely uses public Google Docs for work with Google, Meta, and xAI. BI reviewed thousands of files — some marked confidential, others exposing contractor data. * Scale AI says it's conducting a "thorough investigation." Scale AI routinely uses public Google Docs to track work for high-profile customers like Google, Meta, and xAI, leaving multiple AI training documents labeled "confidential" accessible to anyone with the link, Business Insider found. Contractors told BI the company relies on public Google Docs to share internal files, a method that's efficient for its vast army of at least 240,000 contractors and presents clear cybersecurity and confidentiality risks. Scale AI also left public Google Docs with sensitive details about thousands of its contractors, including their private email addresses and whether they were suspected of "cheating." Some of those documents can be viewed and also edited by anyone with the right URL.
#businessinsider.com#EN#2025#ScaleAI#dataleak#Meta
·africa.businessinsider.com·
Scale AI exposed sensitive data about clients like Meta and xAI in public Google Docs, BI finds
170 patients harmed as a result of cyber attack
170 patients harmed as a result of cyber attack
More than 10,000 appointments were cancelled at the two London NHS trusts that were worst affected. Around 170 patients have suffered harm as a result of a cyber attack on blood services at London hospitals and GP surgeries, reports suggest. Pathology services provider Synnovis was the victim of a ransomware attack by a Russian cyber gang in June last year. As a result more than 10,000 appointments were cancelled at the two London NHS trusts that were worst affected. And a significant number of GP practices in London were unable to order blood tests for their patients. Now the Health Service Journal (HSJ) has reported that there were nearly 600 “incidents” linked to the attack, with patient care suffering in 170 of these.
#independent.co.uk#EN#2025#London#NHS#health#healthcare#cyberattack
·independent.co.uk·
170 patients harmed as a result of cyber attack
Microsoft 365 'Direct Send' abused to send phishing as internal users
Microsoft 365 'Direct Send' abused to send phishing as internal users
An ongoing phishing campaign abuses a little‑known feature in Microsoft 365 called "Direct Send" to evade detection by email security and steal credentials. Direct Send is a Microsoft 365 feature that allows on‑premises devices, applications, or cloud services to send emails through a tenant's smart host as if they originated from the organization's domain. It’s designed for use by printers, scanners, and other devices that need to send messages on behalf of the company. However, the feature is a known security risk, as it doesn't require any authentication, allowing remote users to send internal‑looking emails from the company's domain. Microsoft recommends that only advanced customers utilize the feature, as its safety depends on whether Microsoft 365 is configured correctly and the smart host is properly locked down.. "We recommend Direct Send only for advanced customers willing to take on the responsibilities of email server admins," explains Microsoft. "You need to be familiar with setting up and following best practices for sending email over the internet. When correctly configured and managed, Direct Send is a secure and viable option. But customers run the risk of misconfiguration that disrupts mail flow or threatens the security of their communication." The company has shared ways to disable the feature, which are explained later in the article, and says they are working on a way to deprecate the feature.
#bleepingcomputer#EN#2025#Credentials#Direct-Send#Email#Microsoft#Microsoft-365#Phishing
·bleepingcomputer.com·
Microsoft 365 'Direct Send' abused to send phishing as internal users
CISA: AMI MegaRAC bug enabling server hijacks exploited in attacks
CISA: AMI MegaRAC bug enabling server hijacks exploited in attacks
CISA says a maximum severity vulnerability in AMI's MegaRAC Baseboard Management Controller (BMC) software, which enables attackers to hijack and brick servers, is currently under active exploitation. CISA has confirmed that a maximum severity vulnerability in AMI's MegaRAC Baseboard Management Controller (BMC) software is now actively exploited in attacks. The MegaRAC BMC firmware provides remote system management capabilities for troubleshooting servers without being physically present, and it's used by several vendors (including HPE, Asus, and ASRock) that supply equipment to cloud service providers and data centers. This authentication bypass security flaw (tracked as CVE-2024-54085) can be exploited by remote unauthenticated attackers in low-complexity attacks that don't require user interaction to hijack and potentially brick unpatched servers.
#bleepingcomputer#EN#2025#Actively-Exploited#American-Megatrends-International#AMI#Authentication-Bypass#CISA#MegaRAC#CVE-2024-54085
·bleepingcomputer.com·
CISA: AMI MegaRAC bug enabling server hijacks exploited in attacks