Algerian ��Jabaroot’ Group Behind CNSS Breach Attacks Moroccan Property Registry
The Moroccan National Agency for Land Conservation, Cadastre and Cartography (ANCFCC) has become the latest victim of a major cyberattack claimed by “Jabaroot,” the same hacker group behind April’s CNSS breach. The group, which identifies itself as Algerian, announced the attack on Monday, allegedly resulting in the theft and subsequent leak of thousands of sensitive property documents. According to claims the group made on their Telegram channel, the hackers have exfiltrated and released what they describe as “a massive amount of sensitive data” from ANCFCC’s databases. The leaked information reportedly includes 10,000 property ownership certificates out of a total database of more than 10 million land titles. The compromised data allegedly contains cadastral information, property owner identities, real estate references, and various personal and administrative documents.
Thousands Hit by The North Face Credential Stuffing Attack
Sports apparel and footwear giant VF Corporation is notifying over 2,800 individuals that their personal information was compromised in a recent credential stuffing attack aimed at The North Face website. Credential stuffing occurs when threat actors leverage email addresses, usernames, and passwords compromised in a previous data breach to access accounts on a different online service where the same credentials have been used. According to notification letters VF Corporation sent this week to the impacted individuals, copies of which were submitted to multiple regulators, a threat actor employed this technique on April 23 against a small set of user accounts on thenorthface.com website. “Based on our investigation, we believe that the attacker previously gained access to your email address and password from another source (not from us) and then used those same credentials to access your account on our website,” the company’s notification letter reads. VF Corporation says it discovered the suspicious activity on the same day, and informed the Maine Attorney General’s Office that a total of 2,861 user accounts were compromised. The campaign resulted in the attackers gaining access to the information stored in the compromised accounts, such as names, addresses, email addresses, dates of birth, phone numbers, user preferences, and details on the items purchased on the website. The company underlines that payment card information was not compromised because it does not store such data on its website. “We only retain a ‘token’ linked to your payment card, and only our third-party payment card processor keeps payment card details. The token cannot be used to initiate a purchase anywhere other than on our website. Accordingly, your credit card information is not at risk as a result of this incident,” it says.
Derzeit sind E-Mails mit einem gefälschten Absender namens «Kanton Schaffhausen» im Umlauf. In der Mail wird eine Rückerstattung versprochen. Der enthaltene Link führt zum Download von einer Software, die die Fernsteuerung Ihres Computers ermöglicht. Diese E-Mails sind gefälscht und stammen nicht vom Kanton Schaffhausen. Was Sie tun sollten: Folgen Sie keinesfalls den darin enthaltenen Instruktionen Löschen Sie die Mail und markieren Sie die Mail als Spam Falls Sie den Link bereits angeklickt haben und die Software zur Fernsteuerung Ihres Computers installiert wurde: 1. Entfernen Sie die installierte Software und setzen Sie den Computer frisch auf. 2. Ändern Sie sofort Ihre Passwörter. Überprüfen Sie, ob Ihre E-Mail-Adresse und Passwörter bereits in falsche Hände geraten oder im Internet missbraucht worden sind: https://www.ibarry.ch/de/sicherheits-checks 3. Beobachten Sie Ihr Bankkonto und kontaktieren Sie bei Verdacht Ihre Bank. Vor allem wenn Sie mit diesem Computer in der Zwischenzeit auf Ihr Bankkonto zugegriffen haben. 4. Melden Sie den Vorfall (freiwillig) beim Bundesamt für Cybersicherheit BACS: https://www.report.ncsc.admin.ch/ 5. Reichen Sie online eine Strafanzeige bei der Polizei ein:https://www.suisse-epolice.ch, falls sie geschädigt wurden. 6. Schauen Sie sich die Tipps und Infos rund um Phishing und Cybersicherheit auf: https://www.s-u-p-e-r.ch
Google on Monday released a fresh Chrome 137 update to address three vulnerabilities, including a high-severity bug exploited in the wild. Tracked as CVE-2025-5419, the zero-day is described as an out-of-bounds read and write issue in the V8 JavaScript engine. “Google is aware that an exploit for CVE-2025-5419 exists in the wild,” the internet giant’s advisory reads. No further details on the security defect or the exploit have been provided. However, the company credited Clement Lecigne and Benoît Sevens of Google Threat Analysis Group (TAG) for reporting the issue. TAG researchers previously reported multiple vulnerabilities exploited by commercial surveillance software vendors, including such bugs in Chrome. Flaws in Google’s browser are often exploited by spyware vendors and CVE-2025-5419 could be no different. According to a NIST advisory, the exploited zero-day “allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page”. It should be noted that the exploitation of out-of-bounds defects often leads to arbitrary code execution. The latest browser update also addresses CVE-2025-5068, a medium-severity use-after-free in Blink that earned the reporting researcher a $1,000 bug bounty. No reward will be handed out for the zero-day. The latest Chrome iteration is now rolling out as version 137.0.7151.68/.69 for Windows and macOS, and as version 137.0.7151.68 for Linux.
Announcing a new strategic collaboration to bring clarity to threat actor naming | Microsoft Security Blog
Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies to help security professionals connect insights faster. In today’s cyberthreat landscape, even seconds of delay can mean the difference between stopping a cyberattack or falling victim to ransomware. One major cause of delayed response is understanding threat actor attribution, which is often slowed by inaccurate or incomplete data as well as inconsistencies in naming across platforms. This, in turn, can reduce confidence, complicate analysis, and delay response. As outlined in the National Institute of Standards and Technology’s (NIST) guidance on threat sharing (SP 800-1501), aligning how we describe and categorize cyberthreats can improve understanding, coordination, and overall security posture. That’s why we are excited to announce that Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies. By mapping where our knowledge of these actors align, we will provide security professionals with the ability to connect insights faster and make decisions with greater confidence. Read about Microsoft and Crowdstrike’s joint threat actor taxonomy Names are how we make sense of the threat landscape and organize insights into known or likely cyberattacker behaviors. At Microsoft, we’ve published our own threat actor naming taxonomy to help researchers and defenders identify, share, and act on our threat intelligence, which is informed by the 84 trillion threat signals that we process daily. But the same actor that Microsoft refers to as Midnight Blizzard might be referred to as Cozy Bear, APT29, or UNC2452 by another vendor. Our mutual customers are always looking for clarity. Aligning the known commonalities among these actor names directly with peers helps to provide greater clarity and gives defenders a clearer path to action. Introducing a collaborative reference guide to threat actors Microsoft and CrowdStrike are publishing the first version of our joint threat actor mapping. It includes: A list of common actors tracked by Microsoft and CrowdStrike mapped by their respective taxonomies. Corresponding aliases from each group’s taxonomy. This reference guide serves as a starting point, a way to translate across naming systems so defenders can work faster and more efficiently, especially in environments where insights from multiple vendors are in play. This reference guide helps to: Improve confidence in threat actor identification. Streamline correlation across platforms and reports. Accelerate defender action in the face of active cyberthreats. This effort is not about creating a single naming standard. Rather, it’s meant to help our customers and the broader security community align intelligence more easily, respond faster, and stay ahead of threat actors.
50,000+ Azure AD Users Exposed via Unsecured API: BeVigil Uncovers Critical Flaw | CloudSEK
An unsecured API endpoint buried inside a JavaScript file gave attackers the keys to the kingdom—direct access to sensitive Microsoft Graph data of thousands of employees, including top executives. CloudSEK’s BeVigil platform uncovered how this silent slip could lead to identity theft, phishing attacks, and regulatory nightmares. Here’s how it unfolded—and what your organization must do to stay safe. CloudSEK’s BeVigil platform recently identified a critical security lapse on a publicly accessible of an aviation giant. The vulnerability stemmed from an exposed JavaScript file that contained an unauthenticated API endpoint. This endpoint granted access tokens to Microsoft Graph with elevated privileges, ultimately leading to unauthorized exposure of sensitive data belonging to more than 50,000 Azure AD users. What Went Wrong BeVigil’s API Scanner found that a JavaScript bundle with subdomain included on a hardcoded endpoint that was being accessed without authentication. This endpoint issued a Microsoft Graph API token with excessive permissions, specifically User.Read.All and AccessReview.Read.All. These permissions are typically restricted due to their ability to access full user profiles and critical identity governance data. Using this token, an attacker could query Microsoft Graph endpoints to retrieve detailed employee information, including names, job titles, contact details, reporting structures, and even access review configurations. Such exposure not only undermines user privacy but also opens the door to privilege escalation, identity theft, and targeted phishing campaigns, especially since executive-level data was also exposed. Scale and Severity The impact is far-reaching. Data associated with over 50,000 users was accessible, and the endpoint continued to return records for newly added users. Among the exposed information were personal identifiers, user principal names, access role assignments, and other governance details. The exposure of this magnitude significantly increases the organization’s attack surface and introduces compliance risks under frameworks such as GDPR and CCPA. Security and Compliance Implications Unauthorized Data Access: Attackers could exploit the API to retrieve confidential employee records directly from Azure AD. Token Misuse: The leaked token could grant unrestricted visibility into internal directory structures and governance decisions. Snapshot of the Generated Authorization Token Executive Exposure: The data of senior leadership was accessible, making them high-value targets for impersonation or social engineering. Regulatory Violations: The exposure of personally identifiable information without proper safeguards raises serious compliance concerns. Data breaches erode user trust and can lead to long-term reputational harm and operational disruption. Recommended Remediations BeVigil suggested that following actions are implemented on priority: Disable Public API Access: Restrict the vulnerable endpoint and enforce strict authentication controls. Revoke Compromised Tokens: Invalidate exposed tokens and rotate affected credentials. Enforce Least Privilege: Review and limit token scopes to only what is necessary. Monitor API Usage: Implement logging and alerting to detect abnormal Microsoft Graph activity. Secure Front-End Code: Avoid embedding sensitive endpoints or token logic in client-side scripts. Review Permissions and Roles: Audit all Azure AD roles and access reviews to eliminate overprovisioned permissions. Implement Rate Limiting: Protect API endpoints with rate controls and anomaly detection.
Official Root Cause Analysis (RCA) for SentinelOne Global Service Interruption
On May 29, 2025, SentinelOne experienced a global service disruption affecting multiple customer-facing services. During this period, customer endpoints remained protected, but security teams were unable to access the management console and related services, which significantly impacted their ability to manage their security operations and access important data. We apologize for the disruption caused by this service interruption. The root cause of the disruption was a software flaw in an infrastructure control system that removed critical network routes, causing widespread loss of network connectivity within the SentinelOne platform. It was not a security-related event. The majority of SentinelOne services experienced full or partial downtime due to this sudden loss of network connectivity to critical components in all regions. We’d like to assure our commercial customers that their endpoints were protected throughout the duration of the service disruption and that no SentinelOne security data was lost during the event. Protected endpoint systems themselves did not experience downtime due to this incident. A core design principle of the SentinelOne architecture is to ensure protection and prevention capabilities continue uninterrupted without constant cloud connectivity or human dependency for detection and response – even in the case of service interruptions, of any kind, including events like this one.
Hidden Bear: The GRU hackers of Russia’s most notorious kill squad
Russian GRU Unit 29155 is best known for its long list of murder and sabotage ops, which include the Salisbury poisonings in England, arms depot explosions in Czechia, and an attempted coup d’etat in Montenegro. But its activities in cyberspace remained in the shadows — until now. After reviewing a trove of hidden data, The Insider can report that the Kremlin’s most notorious black ops squad also fielded a team of hackers — one that attempted to destabilize Ukraine in the months before Russia’s full-scale invasion. For members of Russia’s most notorious black ops unit, they look like children. Even their photographs on the FBI’s “wanted” poster show a group of spies born around the time Vladimir Putin came to power in Russia. But then, hacking is a young man’s business. In August 2024, the U.S. Justice Department indicted Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov, Nikolay Korchagin, Amin Stigal and Yuriy Denisov for conducting “large-scale cyber operations to harm computer systems in Ukraine prior to the 2022 Russian invasion,” using malware to wipe data from systems connected to Ukraine’s critical infrastructure, emergency services, even its agricultural industry, and masking their efforts as plausibly deniable acts of “ransomware” – digital blackmail. Their campaign was codenamed “WhisperGate.” The hackers posted the personal medical data, criminal records, and car registrations of untold numbers of Ukrainians. The hackers also probed computer networks “associated with twenty-six NATO member countries, searching for potential vulnerabilities” and, in October 2022, gained unauthorized access to computers linked to Poland’s transportation sector, which was vital for the inflow and outflow of millions of Ukrainians – and for the transfer of crucial Western weapons systems to Kyiv. More newsworthy than the superseding indictment of this sextet of hackers was the organization they worked for: Unit 29155 of Russia’s Main Intelligence Directorate of the General Staff, or GRU. In the past decade and a half, this elite team of operatives has been responsible for the Novichok poisonings of Russian ex-spy Sergei Skripal and Bulgarian arms manufacturer Emilian Gebrev, an abortive coup in Montenegro, and a series of explosions of arms and ammunition depots in Bulgaria and Czechia. Unit 29155 is Russia’s kill and sabotage squad. But now they were being implicated for the first time as state hackers. Moreover, the U.S. government made a compelling case that Unit 29155 was engaged in cyber attacks designed to destabilize Ukraine in advance of Russian tanks and soldiers stealing across the border – if this were true, it would mean that at least one formidable arm of Russian military intelligence knew about a war that other Russian special services were famously kept in the dark about. This hypothesis is consistent with prior findings by The Insider showing that members of 29155 were deployed into Ukraine a few days before the full-scale invasion.
Google Online Security Blog: Sustaining Digital Certificate Security - Upcoming Changes to the Chrome Root Store
Note: Google Chrome communicated its removal of default trust of Chunghwa Telecom and Netlock in the public forum on May 30, 2025. The Chrome Root Program Policy states that Certification Authority (CA) certificates included in the Chrome Root Store must provide value to Chrome end users that exceeds the risk of their continued inclusion. It also describes many of the factors we consider significant when CA Owners disclose and respond to incidents. When things don’t go right, we expect CA Owners to commit to meaningful and demonstrable change resulting in evidenced continuous improvement. Chrome's confidence in the reliability of Chunghwa Telecom and Netlock as CA Owners included in the Chrome Root Store has diminished due to patterns of concerning behavior observed over the past year. These patterns represent a loss of integrity and fall short of expectations, eroding trust in these CA Owners as publicly-trusted certificate issuers trusted by default in Chrome. To safeguard Chrome’s users, and preserve the integrity of the Chrome Root Store, we are taking the following action. Upcoming change in Chrome 139 and higher: Transport Layer Security (TLS) server authentication certificates validating to the following root CA certificates whose earliest Signed Certificate Timestamp (SCT) is dated after July 31, 2025 11:59:59 PM UTC, will no longer be trusted by default. OU=ePKI Root Certification Authority,O=Chunghwa Telecom Co., Ltd.,C=TW CN=HiPKI Root CA - G1,O=Chunghwa Telecom Co., Ltd.,C=TW CN=NetLock Arany (Class Gold) Főtanúsítvány,OU=Tanúsítványkiadók (Certification Services),O=NetLock Kft.,L=Budapest,C=HU TLS server authentication certificates validating to the above set of roots whose earliest SCT is on or before July 31, 2025 11:59:59 PM UTC, will be unaffected by this change. This approach attempts to minimize disruption to existing subscribers using a previously announced Chrome feature to remove default trust based on the SCTs in certificates.
Key Findings: The takedown achieved a significant disruption to Lumma infostealers’ infrastructure, but likely didn’t permanently affect most of its Russia-hosted infrastructure. Lumma’s developers are undertaking significant efforts to reinstate the activity and to conduct business as usual. * There seems to be a significant reputational damage to the Lumma infostealer, and the key factor for the infostealer to resume regular activity will be the reputational factors (rather than the technological). On May 21, 2025, Europol, FBI, and Microsoft, in collaboration with other public and private sector partners, announced an operation to dismantle the activity of the Lumma infostealer. The malware, considered to be one of the most prolific infostealers, is distributed through a malware-as-a-service model. In addition to its use by common cyber criminals for stealing credentials, Lumma was observed to be part of the arsenal of several prominent threat actor groups, including Scattered Spider, Angry Likho, and CoralRaider. The Takedown on the Dark Web According to the reports, the takedown operation began on May 15. On that day, Lumma customers flooded dark web forums that advertise the stealer, complaining they were unable to access the malware’s command and control (C2) servers and management dashboards.
The hottest new vibe coding startup Lovable is a sitting duck for hackers
Lovable is accused of failing to fix security flaws that exposed information about users, a growing vulnerability as vibe coding’s popularity surges. Lovable, the popular vibe coding app that describes itself as the fastest-growing company in Europe, has failed to fix a critical security flaw, despite being notified about it months ago, according to a new report by an employee at a competitor. The service offered by Lovable, a Swedish startup that bills its product as “the last piece of software,” allows customers without any technical training to instantly create websites and apps using only natural language prompts. The employee at AI coding assistant company Replit who wrote the report, reviewed by Semafor, says he and a colleague scanned 1,645 Lovable-created web apps that were featured on the company’s site. Of those, 170 allowed anyone to access information about the site’s users, including names, email addresses, financial information and secret API keys for AI services that would allow would-be hackers to run up charges billed to Lovable’s customers. The vulnerability, which was made public on the National Vulnerabilities Database on Thursday, highlights a growing security problem as artificial intelligence allows anyone to become a software developer. Each new app or website created by novices is a potential sitting duck for hackers with automated tools that target everything connected to the internet. The advent of amateur vibe coding raises new questions about who is responsible for securing consumer products in an era where developers with zero security know-how can build them.
Dero miner spreads inside containerized Linux environments | Securelist
Imagine a container zombie outbreak where a single infected container scans the internet for an exposed Docker API, and bites exploits it by creating new malicious containers and compromising the running ones, thus transforming them into new “zombies” that will mine for Dero currency and continue “biting” new victims. No command-and-control server is required for the delivery, just an exponentially growing number of victims that are automatically infecting new ones. That’s exactly what the new Dero mining campaign does. During a recent compromise assessment project, we detected a number of running containers with malicious activities. Some of the containers were previously recognized, while others were not. After forensically analyzing the containers, we confirmed that a threat actor was able to gain initial access to a running containerized infrastructure by exploiting an insecurely published Docker API. This led to the running containers being compromised and new ones being created not only to hijack the victim’s resources for cryptocurrency mining but also to launch external attacks to propagate to other networks. The diagram below describes the attack vector: The entire attack vector is automated via two malware implants: the previously unknown propagation malware nginx and the Dero crypto miner. Both samples are written in Golang and packed with UPX. Kaspersky products detect these malicious implants with the following verdicts: nginx: Trojan.Linux.Agent.gen; Dero crypto miner: RiskTool.Linux.Miner.gen. nginx: the propagation malware This malware is responsible for maintaining the persistence of the crypto miner and its further propagation to external systems. This implant is designed to minimize interaction with the operator and does not require a delivery C2 server. nginx ensures that the malware spreads as long as there are users insecurely publishing their Docker APIs on the internet. The malware is named “nginx” to masquerade as the well-known legitimate nginx web server software in an attempt to evade detection by users and security tools. In this post, we’ll refer to this malware as “nginx”. After unpacking the nginx malware, we parsed the metadata of the Go binary and were able to determine the location of the Go source code file at compilation time: “/root/shuju/docker2375/nginx.go”.
Czech Republic says China behind cyberattack on ministry, embassy rejects accusations | Reuters
he Czech Republic on Wednesday accused China of being responsible for a "malicious cyber campaign" targeting a network used for unclassified communication at its Foreign Affairs ministry, but China rejected the accusations. China's embassy in Prague called on the Czech side to end its "microphone diplomacy". The attacks started during the country's 2022 EU presidency and were perpetrated by the cyber espionage group APT31, the Czech government said in a statement. The Czech Republic, an EU state and NATO member, said APT31 was publicly associated with the Chinese Ministry of State Security. Foreign Minister Jan Lipavsky said that after the attack was detected, the ministry implemented a new communications system with enhanced security in 2024. "I summoned the Chinese ambassador to make clear that such hostile actions have serious consequences for our bilateral relations," he said. Lipavsky said the attacks centered on email and other documents and focused on information concerning Asia. "The Government of the Czech Republic strongly condemns this malicious cyber campaign against its critical infrastructure," the government said in its statement. China's embassy in the Czech Republic expressed "strong concern and decisive disagreement" with the Czech accusations.
New Russia-affiliated actor Void Blizzard targets critical sectors for espionage
Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America.
Earth Lamia Develops Custom Arsenal to Target Multiple Industries
Trend Research has identified Earth Lamia as an APT threat actor that exploits vulnerabilities in web applications to gain access to organizations, using various techniques for data exfiltration. Earth Lamia develops and customizes hacking tools to evade detection, such as PULSEPACK and BypassBoss. Earth Lamia has primarily targeted organizations in Brazil, India, and Southeast Asia since 2023. Initially focused on financial services, the group shifted to logistics and online retail, most recently focusing on IT companies, universities, and government organizations. Trend Vision One™ detects and blocks the IOCs discussed in this blog. Trend Vision One also provides hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on Earth Lamia. Introduction We have been tracking an active intrusion set that primarily targets organizations located in countries including Brazil, India, and Southeast Asia since 2023. The threat actor mainly targets the SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations. The actor also takes advantage of various known vulnerabilities to exploit public-facing servers. Research reports have also mentioned their aggressive operations, including REF0657, STAC6451, and CL-STA-0048. Evidence we collected during our research indicates this group is a China-nexus intrusion set, which we now track as Earth Lamia. Earth Lamia is highly active, but our observation found that its targets have shifted over different time periods. They targeted many organizations but focused only on a few specific industries during each time period. In early 2024 and prior, we observed that most of their targets were organizations within the financial industry, specifically related to securities and brokerage. In the second half of 2024, they shifted their targets to organizations mainly in the logistics and online retail industries. Recently, we noticed that their targets have shifted again to IT companies, universities, and government organizations. Map of targeted countries Figure 1. Map of targeted countries download Earth Lamia continuously develops customized hacking tools and backdoors to improve their operations. While the actor highly leverages open-source hacking tools to conduct their attacks, they also customized these hacking tools to reduce the risk of being detected by security software. We also discovered they have developed a previously unseen backdoor, which we named PULSEPACK. The first version of PULSEPACK was identified in Earth Lamia's attacks during August 2024. In 2025, we found an upgraded version of PULSEPACK, which uses a different protocol for C&C communication, showing they are actively developing this backdoor. In this report, we will reveal the details of Earth Lamia’s operations and share the analysis of their customized hacking tools and backdoors. Initial access and post-exploitation TTPs We found that Earth Lamia frequently conducted vulnerability scans to identify possible SQL injection vulnerabilities on the targets' websites. With an identified vulnerability, the actor tried to open a system shell through it to gain remote access to the victims' SQL servers. We suspect they are likely using tools like "sqlmap" to carry out these attacks against their targets. Besides the SQL injection attempts, our telemetry shows the actor also exploited the following vulnerabilities on different public-facing servers: CVE-2017-9805: Apache Struts2 remote code execution vulnerability CVE-2021-22205: GitLab remote code execution vulnerability CVE-2024-9047: WordPress File Upload plugin arbitrary file access vulnerability CVE-2024-27198: JetBrains TeamCity authentication bypass vulnerability CVE-2024-27199: JetBrains TeamCity path traversal vulnerability CVE-2024-51378: CyberPanel remote code execution vulnerability CVE-2024-51567: CyberPanel remote code execution vulnerability CVE-2024-56145: Craft CMS remote code execution vulnerability organizations.
Victoria's Secret hit by outages as it battles security incident | TechCrunch
Victoria’s Secret hit by outages as it battles security incident Fashion retail giant Victoria’s Secret said it is addressing a “security incident,” as its website and online orders face ongoing disruption. Victoria’s Secret posted the brief statement on its website Wednesday. The company’s outages began earlier on Monday, as users have reported not being able to access the Victoria’s Secret website. “We immediately enacted our response protocols, third-party experts are engaged, and we took down our website and some in store services as a precaution,” a spokesperson for Victoria’s Secret said in response to TechCrunch’s inquiries. The spokesperson did not provide their name nor describe the nature of the cybersecurity incident. “We are working to quickly and securely restore operations,” the spokesperson said. The company said its stores remain open. Victoria’s Secret closed down 7% on the news of the security incident.
Tracking AyySSHush: a Newly Discovered ASUS Router Botnet Campaign
Executive Summary: A new, stealthy ASUS router botnet, dubbed AyySSHush, abuses trusted firmware features through a multi-stage attack sequence to backdoor routers and persist across firmware updates, evading traditional detection methods. GreyNoise observed the campaign in March 2025; Censys scan data reveals its global footprint and how it's evolved over the past five months 4,504 ASUS devices show indicators of compromise as of May 28, 2025, identified by having SSH running on port TCP/53282 — a relatively strong indicator of AyySSHush compromise since this high, nonstandard port is specifically used by the botnet The compromises are globally spread with an APAC concentration: the top affected countries include the U.S., Sweden, Taiwan, Singapore, and Hong Kong. Residential ISPs across Asia, Europe, and the U.S. appear to be the main targeted networks, aligning with the typically observed residential proxy botnet strategy that mimics legitimate users to evade detection. Historical trends in compromises observed online reveal a highly dynamic scale of botnet operations that rapidly scaled up and down by 50% in a matter of weeks Attackers leverage ASUS's own built-in configuration tools to inject SSH keys that survive firmware resets -- patching alone isn't enough. Check out our live dashboard tracking exposed ASUS devices with indicators of compromise Introduction On March 18 2025, researchers at GreyNoise uncovered a sophisticated botnet campaign targeting ASUS routers. Dubbed AyySSHush, the operation exploits legitimate features of ASUS’s AiProtection system to implant persistent SSH backdoors that survive firmware resets. This is an alarming example of threat actors exploiting vendor-sanctioned capabilities to establish a persistent, hard-to-detect presence in consumer-grade hardware. Censys has been tracking this botnet’s global footprint in partnership with findings from both GreyNoise and Sekoia researchers. To aid in ongoing tracking and research, we’ve launched a live dashboard that tracks exposed ASUS routers showing indicators of AyySSHush compromise. The data updates daily and provides real-time insight into global trends.
CYFIRMA’s research team discovered Lyrix Ransomware while monitoring underground forums as part of our Threat Discovery Process. Developed in Python and compiled with PyInstaller — allowing it to run as a standalone executable with all dependencies—Lyrix targets Windows systems using strong encryption and appends a unique file extension to encrypted files. Its advanced evasion techniques and persistence mechanisms make it challenging to detect and remove. This discovery underscores the need for proactive cybersecurity measures and a robust incident response strategy to safeguard data and reduce the risk of breaches. Target Technologies Windows Operating System Written In Python Encrypted file extension Original file names appended with ‘.02dq34jROu’ extension Observed First 2025-04-20 Problem Statement Lyrix Ransomware targets Windows operating systems using advanced evasion and anti-analysis techniques to reduce the likelihood of detection. Its tactics include obfuscating malicious behavior, bypassing rule-based detection systems, employing strong encryption, issuing ransom demands, and threatening to leak stolen data on underground forums. Lyrix Ransomware Basic Details Filename Encryptor.exe Size 20.43 MB Signed Not signed File Type Win32 EXE Timestamp Sun Apr 20 09:04:34 2025 (UTC) SHA 256 Hash fcfa43ecb55ba6a46d8351257a491025022f85e9ae9d5e93d945073f612c877b
UK to deliver pioneering battlefield system and bolster cyber warfare capabilities under Strategic Defence Review
Defence Secretary announces new Cyber and Eletromagnetic Command and £1 billion investment in pioneering battlefield system. Defence Secretary John Healey personnel at MoD Corsham. MoD Crown Copyright. More than £1 billion to be invested in pioneering ‘Digital Targeting Web’ to spearhead battlefield engagements, applying lessons learnt from Ukraine to the UK Armed Forces. New Cyber and Electromagnetic Command will oversee cyber operations for Defence as careers pathway accelerated. Innovation delivers on the Government’s Plan for Change by bolstering national security and creating skilled jobs. Pinpointing and eliminating enemy targets will take place faster than ever before, as the Government invests more than £1 billion to equip the UK Armed Forces with a pioneering battlefield system. A new Cyber and Electromagnetic Command will also be established to put the UK at the forefront of cyber operations as part of the Strategic Defence Review (SDR). The announcements were made by Defence Secretary, John Healey MP on a visit to MOD Corsham, the UK military’s cyber HQ. The Ministry of Defence will develop a new Digital Targeting Web to better connect Armed Forces weapons systems and allow battlefield decisions for targeting enemy threats to be made and executed faster. This pioneering digital capability will give the UK a decisive advantage through greater integration across domains, new AI and software, and better communication between our Armed Forces. As an example, a threat could be identified by a sensor on a ship or in space before being disabled by an F-35 aircraft, drone, or offensive cyber operation. This follows the Prime Minister’s historic commitment to increase defence spending to 2.5% of GDP, recognising the critical importance of military readiness in an era of heightened global uncertainty. Delivering this new Digital Targeting Web is central to UK efforts to learn lessons directly from the front line in Ukraine. When the Ukrainians achieved a step-change in lethality early in the war – by being able to find the enemy, target them and attack quickly and at scale - it allowed them to stop the encircling Russian advance. The Ministry of Defence will establish a Cyber and Electromagnetic Command. It will sit under General Sir James Hockenhull’s Command and follows the MOD having to protect UK military networks against more than 90,000 ‘sub-threshold’ attacks in the last two years. The Command will lead defensive cyber operations and coordinate offensive cyber capabilities with the National Cyber Force. The new Command will also harness all the Armed Forces’ expertise in electromagnetic warfare, helping them to seize and hold the initiative in a high-tempo race for military advantage - for example, through degrading command and control, jamming signals to drones or missiles and intercepting an adversary’s communications.
UPDATE 2 (7:41 PM UTC): Access to consoles has been restored for all customers following today’s platform outage and service interruption. We continue to validate that all services are fully operational. UPDATE 1 (6:10 PM UTC): Services are actively being restored and consoles are coming online. On May 29, 2025, SentinelOne experienced an outage that is impacting commercial customer consoles. The following message has been sent to all customers and partners. Communications are being updated real-time in our support portal and will be updated here as necessary. We are aware of ongoing console outages affecting commercial customers globally and are currently restoring services. Customer endpoints are still protected at this time, but managed response services will not have visibility. Threat data reporting is delayed, not lost. Our initial RCA suggests this is not a security incident. We apologize for the inconvenience and appreciate your patience as we work to resolve the issue.
ConnectWise Confirms ScreenConnect Cyberattack, Says Systems Now Secure: Exclusive
ConnectWise did not disclose information about when the data breach occurred, as well as the number of MSPs or end users impacted by the breach. ‘ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers,’ ConnectWise said in a statement. ConnectWise has confirmed it suffered a recent cyberattack that led to unauthorized access of its ScreenConnect cloud infrastructure. “ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers,” the Tampa, Fla.-based vendor said in a statement. “We have launched an investigation with one of the leading forensic experts, Mandiant. We have communicated with all affected customers and are coordinating with law enforcement. As part of our work with Mandiant, we patched ScreenConnect and implemented enhanced monitoring and hardening measures across our environment. We have not observed any further suspicious activity in any customer instances. The security of our services is paramount to us, and we are closely monitoring the situation and will share additional information as we are able.” No further signs of malicious activity have been detected since the update was applied, a source familiar with the situation, who asked for anonymity, told CRN.
Safari Vulnerability Enables Attackers to Steal Credentials with Fullscreen BitM Attacks
According to MITRE, Browser-in-the-Middle (BitM) is an attack where “an adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim’s browser to the adversary’s system.” This attack has been used by many attackers to trick victims into unknowingly entering credentials and providing sensitive information on an attacker controlled window. The attack was first disclosed in a paper by researchers from the University of Salento in 2021, and we have seen many cases of BitM being used in the wild since then. However, one key flaw of the BitM attack is that it still requires the victim to land on a malicious site and perform an action to open up the noVNC pop-up window. As the parent window still has a malicious URL in its address bar, this will likely raise suspicion among more security aware users at the point of credential entry. SquareX’s research team has observed multiple instances of the browser’s FullScreen API being exploited to address this flaw by displaying a fullscreen BitM window that covers the parent window’s address bar, as well as a limitation specific to Safari browsers that makes fullscreen BitM attacks especially convincing. The article below will recap how BitM attacks work, explore the Fullscreen API requirements and why Safari browsers are particularly vulnerable to fullscreen BitM attacks. Traditional Browser-in-the-Middle (BitM) Attacks To illustrate how a typical BitM attack works, we will use a real attack that targeted Counter-Strike 2 gamers. Incentivized by cryptocurrency and skin giveaways, victims were tricked into entering their Steam credentials. These compromised accounts were then sold on the black market for up to $300,000. Here is how it works: Note: The case study below actually used the Browser-in-the-Browser (BitB) technique, where instead of using remote desktop, the attackers uses HTML, CSS and JavaScript most commonly to mimic login pop-ups of popular SaaS or Single Sign-On (SSO) services. We chose this example as it is a well documented attack and because the social engineering and principles behind this attack can also be used in BitM attacks.
Detailed blueprints of Russia’s modernized nuclear weapon sites, including missile silos, were found leaking in public procurement database. Russia is modernizing its nuclear weapon sites, including underground missile silos and support infrastructure. Data, including building plans, diagrams, equipment, and other schematics, is accessible to anyone in the public procurement database. Journalists from Danwatch and Der Spiegel scraped and analyzed over two million documents from the public procurement database, which exposed Russian nuclear facilities, including their layout, in great detail. The investigation unveils that European companies participate in modernizing them. According to the exclusive Der Spiegel report, Russian procurement documents expose some of the world’s most secret construction sites. “It even contains floor plans and infrastructure details for nuclear weapons silos,” the report reads. German building materials and construction system giant Knauf and numerous other European companies were found to be indirectly supplying the modernization through small local companies and subsidiaries. Knauf condemned the Russian invasion of Ukraine and announced its intention to withdraw from its Russian business in 2024. Knauf told Der Spiegel that it only trades with independent dealers and cannot control who ultimately uses its materials in Russia. Danwatch jointly reports that “hundreds of detailed blueprints” of Russian nuclear facilities, exposed in procurement databases, make them vulnerable to attacks. “An enormous Russian security breach has exposed the innermost parts of Russia’s nuclear modernization,” the article reads. “It’s completely unprecedented.” The journalists used proxy servers in Russia, Kazakhstan, and Belarus to circumvent network restrictions and access the documents. The rich multimedia in the report details the inner structure of bunkers and missile silos.
OneDrive File Picker OAuth Flaw Exposes Full Drive Access
Oasis Security's research team uncovered a flaw in Microsoft's OneDrive File Picker that allows websites to access a user’s entire OneDrive content, rather than just the specific files selected for upload via OneDrive File Picker. Researchers estimate that hundreds of apps are affected, including ChatGPT, Slack, Trello, and ClickUp–meaning millions of users may have already granted these apps access to their OneDrive. This flaw could have severe consequences, including customer data leakage and violation of compliance regulations. Upon discovery, Oasis reported the flaw to Microsoft and advised vendors using OneDrive File Picker of the issue. In response, Microsoft is considering future improvements, including more precise alignment between what OneDrive File Picker does and the access it requires. Below are details of the flaw and mitigation strategies. You can read the Oasis Security Research team’s full report here. The Flaws Excessive Permissions in the OneDrive File Picker The official OneDrive File Picker implementation requests read access to the entire drive – even when uploading just a single file – due to the lack of fine-grained OAuth scopes for OneDrive. While users are prompted to provide consent before completing an upload, the prompt’s vague and unclear language does not communicate the level of access being granted, leaving users open to unexpected security risks. The lack of fine-grained scopes makes it impossible for users to distinguish between malicious apps that target all files and legitimate apps that ask for excessive permissions simply because there is no other secure option. Insecure Storage of Sensitive Secrets Sensitive secrets used for this access are often stored insecurely by default. The latest version of OneDrive File Picker (8.0) requires developers to take care of the authentication themselves, typically using the Microsoft Authentication Library (MSAL) and most likely using the Authorization Flow. Security risks ensue: MSAL stores sensitive Tokens in the browser’s session storage in plain text. With Authorization Flows a Refresh Token may also be issued, which lengthens the access period, providing ongoing access to the user's data. Notably, OpenAI uses version 8.0. Mitigation Steps The lack of fine-grained OAuth scopes combined with Microsoft’s vague user prompt is a dangerous combination that puts both personal and enterprise users at risk. Oasis Security recommends that individuals and technology leaders review the third-party access they’ve granted to their account to mitigate the potential risks raised by these issues. Check Whether or Not You’ve Previously Granted Access to a Vendor How to for Private Accounts Log in to your Microsoft Account. In the left or top pane, click on "Privacy". Under "App Access", select the list of apps that have access to your account. Review the list of apps, and for each app, click on “Details” to view the specific scopes and permissions granted. You can “Stop Sharing” at any time. Consider that an Access Token takes about an hour to expire regardless of when you clicked stopped sharing. This would however revoke a Refresh Token if present.
North Korea Infiltrates U.S. Remote Jobs—With the Help of Everyday Americans
A LinkedIn message drew a former waitress in Minnesota into a type of intricate scam involving illegal paychecks and stolen data Christina Chapman looked the part of an everyday American trying to make a name for herself in hustle culture. In prolific posts on her TikTok account, which grew to more than 100,000 followers, she talked about her busy life working from home with clients in the computer business and the fantasy book she had started writing. She posted about liberal political causes, her meals and her travels to see her favorite Japanese pop band. Yet in reality the 50-year-old was the operator of a “laptop farm,” filling her home with computers that allowed North Koreans to take jobs as U.S. tech workers and illegally collect $17.1 million in paychecks from more than 300 American companies, according to federal prosecutors. In a June 2023 video, she said she didn’t have time to make her own breakfast that morning—“my clients are going crazy,” she said. Then she describes the açaí bowl and piña colada smoothie she bought. As she talks, at least 10 open laptops are visible on the racks behind her, their fans audibly whirring, with more off to the side. In 2023, Christina Chapman posted a TikTok that had racks of laptops visible in the background. The Wall Street Journal highlighted the laptops in this clip of the video. Chapman was one of an estimated several dozen “laptop farmers” that have popped up across the U.S. as part of a scam to infiltrate American companies and earn money for cash-strapped North Korea. People like Chapman typically operate dozens of laptops meant to be used by legitimate remote workers living in the U.S. What the employers—and often the farmers themselves—don’t realize is that the workers are North Koreans living abroad but using stolen U.S. identities. Once they get a job, they coordinate with someone like Chapman who can provide some American cover—accepting deliveries of the computer, setting up the online connections and helping facilitate paychecks. Meanwhile the North Koreans log into the laptops from overseas every day through remote-access software. Chapman fell into her role after she got a request on LinkedIn to “be the U.S. face” for a company that got jobs for overseas IT workers, according to court documents. There’s no indication that she knew she was working with North Koreans.
Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network Sophos MDR recently responded to a targeted attack involving a Managed Service Provider (MSP). In this incident, a threat actor gained access to the MSP’s remote monitoring and management (RMM) tool, SimpleHelp, and then used it to deploy DragonForce ransomware across multiple endpoints. The attackers also exfiltrated sensitive data, leveraging a double extortion tactic to pressure victims into paying the ransom. Sophos MDR has medium confidence the threat actor exploited a chain of vulnerabilities that were released in January 2025: CVE-2024-57727: Multiple path traversal vulnerabilities CVE-2024-57728: Arbitrary file upload vulnerability CVE-2024-57726: Privilege escalation vulnerability DragonForce DragonForce ransomware is an advanced and competitive ransomware-as-a-service (RaaS) brand that first emerged in mid-2023. As discussed in recent research from Sophos Counter Threat Unit (CTU), DragonForce began efforts in March to rebrand itself as a “cartel” and shift to a distributed affiliate branding model. Coinciding with this effort to appeal to a wider range of affiliates, DragonForce recently garnered attention in the threat landscape for claiming to “take over” the infrastructure of RansomHub. Reports also suggest that well-known ransomware affiliates, including Scattered Spider (UNC3944) who was formerly a RansomHub affiliate, have been using DragonForce in attacks targeting multiple large retail chains in the UK and the US. The incident Sophos MDR was alerted to the incident by detection of a suspicious installation of a SimpleHelp installer file. The installer was pushed via a legitimate SimpleHelp RMM instance, hosted and operated by the MSP for their clients. The attacker also used their access through the MSP’s RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users, and network connections. One client of the MSP was enrolled with Sophos MDR and had Sophos XDR endpoint protection deployed. Through a combination of behavioral and malware detection and blocking by Sophos endpoint protection and MDR actions to shut down attacker access to the network, thwarting the ransomware and double extortion attempt on that customer’s network. However, the MSP and clients that were not using Sophos MDR were impacted by both the ransomware and data exfiltration. The MSP engaged Sophos Rapid Response to provide digital forensics and incident response on their environment.
Estonia launches international search for Moroccan citizen wanted over data theft
The Central Criminal Police and the Office of the Prosecutor General have initiated an international search for a Moroccan citizen suspected of last year unlawfully accessing and downloading data from a customer card system managed by Allium UPI. Allium UPI is the parent company of the Apotheka pharmacy chain. Based on evidence collected in the criminal proceedings, 25-year-old Moroccan citizen Adrar Khalid is suspected of illegally downloading data from the Allium UPI database, in February 2024. Reemo Salupõld, head of the investigation group at the Central Criminal Police's cybercrime bureau, said there is reason to suspect that Khalid gained access to the database by logging in with an account that came with administrator privileges. How the suspect came to obtain the password for that account is still under investigation. Salupõld said: "Regardless of how long and complex a password is, this case clearly shows that this is no longer sufficient on its own today. Cybercriminals are finding increasingly ingenious ways to access accounts, which is why we recommend everyone use two-factor authentication – this adds an extra layer of protection that can be crucial if a password does get leaked or ends up in the wrong hands."
Using an AI powered network traffic analysis tool we built called SIFT, GreyNoise has caught multiple anomalous network payloads with zero-effort that are attempting to disable TrendMicro security features in ASUS routers, then exploit vulnerabilities and novel tradecraft in ASUS AiProtection features on those routers. Irony? Top Score. You love to see it. Note: This activity was first discovered by GreyNoise on March 18, 2025. Public disclosure was deferred as we coordinated the findings with government and industry partners. In summary, we are observing an ongoing wave of exploitation targeting ASUS routers, combining both old and new attack methods. After an initial wave of generic brute-force attacks targeting login.cgi, we observe subsequent attempts exploiting older authentication bypass vulnerabilities. Using either of the above methods to gain privileged access to ASUS hardware, we observe payloads exploiting a command injection vulnerability to create an empty file at /tmp/BWSQL_LOG. This existence of a file at this path enables BWDPI logging, a TrendMicro feature embedded in ASUS routers. Finally, we see remote SSH enabled on a high port TCP/53282 through the official ASUS settings with an attacker controlled public key added to the router’s keyring. This grants the attacker exclusive SSH access. Additionally, because the backdoor is part of the official ASUS settings, it will persist across firmware upgrades, even after the original vulnerability used to gain access has been patched. The attacker controlled pubkey that is added is: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZJ8L5mzhhaxfGzpHR8Geay/xDlVDSJ8MJwA4RJ7o21KVfRXqFblQH4L6fWIYd1ClQbZ6Kk1uA1r7qx1qEQ2PqdVMhnNdHACvCVz/MPHTVebtkKhEl98MZiMOvUNPtAC9ppzOSi7xz3cSV0n1pG/dj+37pzuZUpm4oGJ3XQR2tUPz5MddupjJq9/gmKH6SJjTrHKSECe5yEDs6c3v6uN4dnFNYA5MPZ52FGbkhzQ5fy4dPNf0peszR28XGkZk9ctORNCGXZZ4bEkGHYut5uvwVK1KZOYJRmmj63drEgdIioFv/x6IcCcKgi2w== rsa 2048 You can find an actively growing list of backdoored hosts here: Censys Search. This list provides detailed information on hosts with the backdoor in question. Now let’s go threat hunting! 👋 botnet operator, we were watching.
DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems. Sophos was brought in to investigate the attack and believe the threat actors exploited a chain of older SimpleHelp vulnerabilities tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726 to breach the system. SimpleHelp is a commercial remote support and access tool commonly used by MSPs to manage systems and deploy software across customer networks. The report by Sophos says that the threat actors first used SimpleHelp to perform reconnaissance on customer systems, such as collecting information about the MSP's customers, including device names and configuration, users, and network connections. The threat actors then attempted to steal data and deploy decryptors on customer networks, which were blocked on one of the networks using Sophos endpoint protection. However, the other customers were not so lucky, with devices encrypted and data stolen for double-extortion attacks. Sophos has shared IOCs related to this attack to help organizations better defend their networks. MSPs have long been a valuable target for ransomware gangs, as a single breach can lead to attacks on multiple companies. Some ransomware affiliates have specialized in tools commonly used by MSPs, such as SimpleHelp, ConnectWise ScreenConnect, and Kaseya. This has led to devastating attacks, including REvil's massive ransomware attack on Kaseya, which impacted over 1,000 companies.
Adidas confirms customer data stolen in third-party breach, but still no word if US or EU customers impacted
Adidas on Tuesday officially confirms a third-party breach has led to the compromise of customer data, but questions remain as to whose customer data was impacted and where. The German sportswear company was reported by Cybernews to have sent breach notifications to its regional customers in Turkey and Korea earlier this month. But now, it appears Adidas has posted an official notice on both its German and English-language websites about what could be one singular cyber incident impacting its entire network – or possibly a third breach impacting another Adidas regional network. Titled “Data Security Information,” Adidas stated it recently became aware “that an unauthorized external party obtained certain consumer data through a third-party customer service provider.” Adidas confirms customer data was stolen in a recent third-party vendor breach on its website, adidas-group.com. Image by Cybernews. Cybernews, which happened to cover both the Adidas Turkey and the Adidas Korea breaches as they hit the news cycle in their respective countries, has reached out to Adidas for the second time this month, looking for further clarification. So far, there has been no response to either inquiry at the time of this report, but Cybernews will update our readers if that changes. The Korean breach notice states the attackers were able to obtain information customers submitted to the Adidas customer center in 2024 and previous years. Reportedly, the leaked information includes names, email addresses, phone numbers, dates of birth, and other personal details, as was similarly reported in the Turkish media.
