Found 6141 bookmarks
Custom sorting
Investigating Anonymous VPS services used by Ransomware Gangs
Investigating Anonymous VPS services used by Ransomware Gangs
One of the challenges with investigating cybercrime is the infrastructure the adversaries leverage to conduct attacks. Cybercriminal infrastructure has evolved drastically over the last 25 years, which now involves hijacking web services, content distribution networks (CDNs), residential proxies, fast flux DNS, domain generation algorithms (DGAs), botnets of IoT devices, the Tor network, and all sorts of nested services. This blog shall investigate a small UK-based hosting provider known as BitLaunch as an example of how challenging it can be to tackle cybercriminal infrastructure. Research into this hosting provider revealed that they appear to have a multi-year history of cybercriminals using BitLaunch to host command-and-control (C2) servers via their Anonymous VPS service.
#bushidotoken#EN#2025#investigation#VPS#BitLaunch#C2#Ransomware
·blog.bushidotoken.net·
Investigating Anonymous VPS services used by Ransomware Gangs
Sweden’s PM on suspected cable sabotage: ‘We don’t believe random things suddenly happen quite often’
Sweden’s PM on suspected cable sabotage: ‘We don’t believe random things suddenly happen quite often’
Sweden’s Prime Minister Ulf Kristersson told the Munich Security Conference on Saturday that the country didn’t believe a series of submarine cable cuts in the Baltic Sea were simply coincidental.
#therecord.media#EN#2025#cables#Internet#Baltic#undersea#sabotage#Sweden
·therecord.media·
Sweden’s PM on suspected cable sabotage: ‘We don’t believe random things suddenly happen quite often’
Storm-2372 conducts device code phishing campaign
Storm-2372 conducts device code phishing campaign
Microsoft Threat Intelligence Center discovered an active and successful device code phishing campaign by a threat actor we track as Storm-2372. Our ongoing investigation indicates that this campaign has been active since August 2024 with the actor creating lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. Storm-2372’s targets during this time have included government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East. Microsoft assesses with medium confidence that Storm-2372 aligns with Russian interests, victimology, and tradecraft.
#microsoft#EN#2025#Storm-2372#phishing#campaign#Russia
·microsoft.com·
Storm-2372 conducts device code phishing campaign
Key figures behind Phobos and 8Base ransomware arrested in international cybercrime crackdown
Key figures behind Phobos and 8Base ransomware arrested in international cybercrime crackdown
This follows a series of high-impact arrests targeting Phobos ransomware:An administrator of Phobos was arrested in South Korea in June 2024 and extradited to the United States in November of the same year. He is now facing prosecution for orchestrating ransomware attacks that encrypted critical infrastructure, business systems, and personal data for ransom.A key Phobos affiliate was arrested in Italy...
#europol#EN#2025#busted#phobos#8base#ransomware#arrested#fedpol#crackdown#Switzerland
·europol.europa.eu·
Key figures behind Phobos and 8Base ransomware arrested in international cybercrime crackdown
Cisco Says Ransomware Group’s Leak Related to Old Hack
Cisco Says Ransomware Group’s Leak Related to Old Hack
A fresh post on the Kraken ransomware group’s leak website refers to data stolen in a 2022 cyberattack, Cisco says. The data, a list of credentials apparently exfiltrated from Cisco’s systems, appeared over the weekend on a new data leak site operated by the Kraken ransomware group. “Cisco is aware of certain reports regarding a security incident. The incident referenced in the reports occurred back in May 2022, and we fully addressed it at that time,” a Cisco spokesperson said, responding to a SecurityWeek inquiry.
#securityweek#EN#Cisco#Ransomware#Leak#Old
·securityweek.com·
Cisco Says Ransomware Group’s Leak Related to Old Hack
DOGE as a National Cyberattack
DOGE as a National Cyberattack
In the span of just weeks, the US government has experienced what may be the most consequential security breach in its history—not through a sophisticated cyberattack or an act of foreign espionage, but through official orders by a billionaire with a poorly defined government role. And the implications for national security are profound. First, it was reported that people associated with the newly created Department of Government Efficiency (DOGE) had accessed the US Treasury computer system, giving them the ability to collect data on and potentially control the department’s roughly ...
#schneier#EN#2025#DOGE#Cyberattack#US
·schneier.com·
DOGE as a National Cyberattack
Dutch police say they took down 127 servers used by sanctioned hosting service | The Record from Recorded Future News
Dutch police say they took down 127 servers used by sanctioned hosting service | The Record from Recorded Future News
Police in the Netherlands say they seized 127 servers this week that were used by Zservers, a bulletproof hosting service that was the subject of international sanctions issued Tuesday.
#therecord.media#EN#2025#Zservers#seized#Netherlands
·therecord.media·
Dutch police say they took down 127 servers used by sanctioned hosting service | The Record from Recorded Future News
Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication | Volexity
Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication | Volexity
Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack campaigns were highly targeted and carried out in a variety of ways. The majority of these attacks originated via spear-phishing emails with different themes. In one case, the eventual breach began with highly tailored outreach via Signal.Through its investigations, Volexity discovered that Russian threat actors were impersonating a variety of individuals
#volexity#EN#2025#Russia#spearphishing#M365#social-engineering
·volexity.com·
Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication | Volexity
RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Providers
RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Providers
Between December 2024 and January 2025, Recorded Future’s Insikt Group identified a campaign exploiting unpatched internet-facing Cisco network devices primarily associated with global telecommunications providers. Victim organizations included a United States-based affiliate of a United Kingdom-based telecommunications provider and a South African telecommunications provider. Insikt Group attributes this activity to the Chinese state-sponsored threat activity group tracked by Insikt Group as RedMike, which aligns with the Microsoft-named group Salt Typhoon. Using Recorded Future® Network Intelligence, Insikt Group observed RedMike target and exploit unpatched Cisco network devices vulnerable to CVE-2023-20198, a privilege escalation vulnerability found in the web user interface (UI) feature in Cisco IOS XE software, for initial access before exploiting an associated privilege escalation vulnerability, CVE-2023-20273, to gain root privileges. RedMike reconfigures the device, adding a generic routing encapsulation (GRE) tunnel for persistent access.
#recordedfuture#EN#2025#Salt-Typhoon#RedMike#Cisco#compromise#CVE-2023-20273#CVE-2023-20198
·recordedfuture.com·
RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Providers
New Exploitation Surge: Attackers Target ThinkPHP and ownCloud Flaws at Scale | GreyNoise Blog
New Exploitation Surge: Attackers Target ThinkPHP and ownCloud Flaws at Scale | GreyNoise Blog
GreyNoise has detected a surge in exploitation attempts for two vulnerabilities—one flagged as a top target by government agencies and another flying under the radar despite real-world attacks. See the latest exploitation trends and why real-time intelligence is essential for risk management.
#greynoise#EN#2025#ThinkPHP#ownCloud#Exploitation#Surge
·greynoise.io·
New Exploitation Surge: Attackers Target ThinkPHP and ownCloud Flaws at Scale | GreyNoise Blog
THAI-SWISS-US OPERATION NETS HACKERS BEHIND 1,000+ CYBER ATTACKS
THAI-SWISS-US OPERATION NETS HACKERS BEHIND 1,000+ CYBER ATTACKS
Thai police arrested four European hackers in Phuket who allegedly stole $16 million through ransomware attacks affecting over 1,000 victims worldwide. The suspects, wanted by Swiss and US authorities, were caught in coordinated raids across four locations. Officers from Cyber Crime Investigation Bureau, led by Police Lieutenant General Trairong Phiwphan, conducted “Operation PHOBOS AETOR” in Phuket on February 10, arresting four foreign hackers involved in ransomware attacks. The operation, coordinated with Immigration Police and Region 8 Police, raided four locations across Phuket....
#khaosodenglish#EN#2025#Phuket#Switzerland#8base#arrested#busted#PHOBOS-AETOR
·khaosodenglish.com·
THAI-SWISS-US OPERATION NETS HACKERS BEHIND 1,000+ CYBER ATTACKS
Four alleged hackers arrested in Phuket for hacking 17 Swiss firms
Four alleged hackers arrested in Phuket for hacking 17 Swiss firms
Four alleged European hackers have been arrested in Phuket for deploying ransomware on the networks of 17 Swiss firms. The suspects are accused of causing significant damage and stealing $16 million in Bitcoins from 1,000 global victims.
#nationthailand#EN#2025#Phuket#hackers#arrested#Swiss#firms#hacking#The-Nation#8base#Thailand#Switzerland#busted
·nationthailand.com·
Four alleged hackers arrested in Phuket for hacking 17 Swiss firms
8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur
8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur
The TL;DR is that this time, we ended up discovering ~150 Amazon S3 buckets that had previously been used across commercial and open source software products, governments, and infrastructure deployment/update pipelines - and then abandoned. Naturally, we registered them, just to see what would happen - “how many people are really trying to request software updates from S3 buckets that appear to have been abandoned months or even years ago?”, we naively thought to ourselves.
#watchtowr#EN#2025#Amazon#S3#buckets#Supply-Chain-Attack
·labs.watchtowr.com·
8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur
Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2025-21293)
Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2025-21293)
In September of 2024 while on a customer assigment I encountered the “Network Configuration Operators” group, a so called builtin group of Active Directory (default). As I had never heard of or encountered this group membership before, it sprung to eye immediately. Initially I tried to look up if it had any security implications, like its more known colleagues DNS Admins and Backup Operators, but to no avail. Surpisingly little came up about the group but I couldn’t help myself from probing further. This led me down the rabbithole of Registry Database access control lists and possibilities of weaponization, culminating with the discovery of CVE-2025-21293. Before we move along to the body of work, I have to give out a special thanks to Clément Labro, who initially did the heavy lifting of finding a way to weaponize performancecounters. (This will hopefully make more sense by the end of the article) and my colleagues at ReTest Security ApS, who have provided me with knowledge in the field and the oppertunity to put it to use.
#birkep#EN#2025#CVE-2025-21293#vulnerability#Active-Directory#Network#Configuration#Operators
·birkep.github.io·
Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2025-21293)
U.S. Government Disclosed 39 Zero-Day Vulnerabilities in 2023, Per First-Ever Report
U.S. Government Disclosed 39 Zero-Day Vulnerabilities in 2023, Per First-Ever Report
In a first-of-its-kind report, the US government has revealed that it disclosed 39 zero-day software vulnerabilities to vendors or the public in 2023 for the purpose of getting the vulnerabilities patched or mitigated, as opposed to retaining them to use in hacking operations. It’s the first time the government has revealed specific numbers about its controversial Vulnerabilities Equities Process (VEP) — the process it uses to adjudicate decisions about whether zero-day vulnerabilities it discovers should be kept secret so law enforcement, intelligence agencies, and the military can exploit them in hacking operations or be disclosed to vendors to fix them. Zero-day vulnerabilities are security holes in software that are unknown to the software maker and are therefore unpatched at the time of discovery, making systems that use the software at risk of being hacked by anyone who discovers the flaw.
#zetter-zeroday#EN#2025#US#zero-day#disclose#VEP#Vulnerabilities#Report
·zetter-zeroday.com·
U.S. Government Disclosed 39 Zero-Day Vulnerabilities in 2023, Per First-Ever Report