Search cyberveille.decio.ch

Found 6880 bookmarks

Custom sorting

Les cybermenaces transfrontalières requièrent des solutions internationales

Berne, 06.05.2025 — Le dernier rapport semestriel de l’Office fédéral de la cybersécurité (OFCS) montre comment les cybercriminels opèrent à l’échelle internationale et quels moyens ils utilisent pour diffuser leurs attaques. En raison des cybermenaces désormais mondiales et de la dépendance croissante aux solutions logicielles globales, la coopération interétatique gagne en importance dans ce domaine. Pour renforcer la cybersécurité en Suisse, l’obligation de signaler les cyberattaques contre des infrastructures critiques est entrée en vigueur le 1er avril 2025. Les principes de cette obligation sont harmonisés avec les normes internationales et les directives de l’UE. Premier point de contact pour la population en cas de cyberincidents, l’OFCS reçoit déjà depuis 2020, via un formulaire en ligne, des signalements volontaires concernant des incidents survenus dans le cyberespace. L’analyse de ces signalements montre comment les cybercriminels opèrent à l’échelle internationale et développent de nouvelles méthodes et stratégies pour diffuser leurs attaques. Le dernier rapport semestriel de l’OFCS présente ces développements ainsi que la situation en matière de cybermenaces – en Suisse et dans le monde – au deuxième semestre 2024. De juillet à décembre 2024, l’OFCS a reçu 28 165 signalements concernant des cyberincidents, soit un peu moins qu’au cours du premier semestre. Sur toute l’année 2024, il en a enregistré 62 954, soit 13 574 de plus que l’année précédente. Ces fluctuations s’expliquent principalement par les vagues d’appels au nom de fausses autorités. Le rapport entre les signalements de la population (90 %) et ceux des entreprises, associations ou autorités (10 %) est resté stable. S’agissant des entreprises, on constate une forte hausse des arnaques au président (719 en 2024 contre 487 en 2023). Comme à l’accoutumée, les catégories les plus fréquemment mentionnées par les personnes qui ont rempli le formulaire en ligne étaient « Fraude », « Hameçonnage » et « Spam ». En ce qui concerne les jeux-concours frauduleux, l’OFCS a même reçu au deuxième semestre 2024 trois fois plus de signalements que d’ordinaire.

#ews.admin.ch #EN #2025 #cybermenaces #OFCS #Suisse #rapport #semestriel

·news.admin.ch·May 6, 2025

Les cybermenaces transfrontalières requièrent des solutions internationales

Signal clone used by Trump official stops operations after report it was hacked

A messaging service used by former National Security Advisor Mike Waltz has temporarily shut down while the company investigates an apparent hack. The messaging app is used to access and archive Signal messages but is not made by Signal itself. 404 Media reported yesterday that a hacker stole data "from TeleMessage, an obscure Israeli company that sells modified versions of Signal and other messaging apps to the US government to archive messages." 404 Media interviewed the hacker and reported that the data stolen "contains the contents of some direct messages and group chats sent using [TeleMessage's] Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat." TeleMessage is based in Israel and was acquired in February 2024 by Smarsh, a company headquartered in Portland, Oregon. Smarsh provided a statement to Ars today saying it has temporarily shut down all TeleMessage services. "TeleMessage is investigating a recent security incident," the statement said. "Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation. Out of an abundance of caution, all TeleMessage services have been temporarily suspended. All other Smarsh products and services remain fully operational." Last week, Waltz was photographed using the TeleMessage Signal app on his phone during a White House cabinet meeting. Waltz's ability to secure sensitive government communications has been in question since he inadvertently invited The Atlantic Editor-in-Chief Jeffrey Goldberg to a Signal chat in which top Trump administration officials discussed a plan for bombing Houthi targets in Yemen. Waltz was removed from his post late last week, with Trump nominating him to serve as ambassador to the United Nations.

#arstechnica #EN #2025 #TeleMessage #Waltz #signal #hacked

·arstechnica.com·May 6, 2025

Signal clone used by Trump official stops operations after report it was hacked

wget to Wipeout: Malicious Go Modules Fetch Destructive Payload

Socket's research uncovers three dangerous Go modules that contain obfuscated disk-wiping malware, threatening complete data loss. The Go ecosystem, valued for its simplicity, transparency, and flexibility, has exploded in popularity. With over 2 million modules available, developers rely heavily on public repositories like GitHub. However, this openness is precisely what attackers exploit. No Central Gatekeeping: Developers freely source modules directly from GitHub repositories, trusting the naming conventions implicitly. Prime Target for Typosquatting: Minimal namespace validation enables attackers to masquerade malicious modules as popular libraries. Introduction: The Silent Threat# In April 2025, we detected an attack involving three malicious Go modules which employ similar obfuscation techniques: github[.]com/truthfulpharm/prototransform github[.]com/blankloggia/go-mcp github[.]com/steelpoor/tlsproxy Despite appearing legitimate, these modules contained highly obfuscated code designed to fetch and execute remote payloads. Socket’s scanners flagged the suspicious behaviors, leading us to a deeper investigation.

#socket.dev #EN #2025 #Wipeout #github #Payload #GO #research #Developers #supply-chain-attack

·socket.dev·May 6, 2025

wget to Wipeout: Malicious Go Modules Fetch Destructive Payload

Linux wiper malware hidden in malicious Go modules on GitHub

A supply-chain attack targets Linux servers with disk-wiping malware hidden in Golang modules published on GitHub. The campaign was detected last month and relied on three malicious Go modules that included “highly obfuscated code” for retrieving remote payloads and executing them. Complete disk destruction The attack appears designed specifically for Linux-based servers and developer environments, as the destructive payload - a Bash script named done.sh, runs a ‘dd’ command for the file-wiping activity. Furthermore, the payload verifies that it runs in a Linux environment (runtime.GOOS == "linux") before trying to execute. An analysis from supply-chain security company Socket shows that the command overwrites with zeroes every byte of data, leading to irreversible data loss and system failure. The target is the primary storage volume, /dev/sda, that holds critical system data, user files, databases, and configurations. “By populating the entire disk with zeros, the script completely destroys the file system structure, operating system, and all user data, rendering the system unbootable and unrecoverable” - Socket The researchers discovered the attack in April and identified three Go modules on GitHub, that have since been removed from the platform: github[.]com/truthfulpharm/prototransform github[.]com/blankloggia/go-mcp github[.]com/steelpoor/tlsproxy

#bleepingcomputer #EN #2025 #Data-Wiper #GitHub #Golang #Linux #Server #supply-chain-attack

·bleepingcomputer.com·May 6, 2025

Linux wiper malware hidden in malicious Go modules on GitHub

CVE-2024-7399

Arctic Wolf has observed exploitation in the wild of CVE-2024-7399 in Samsung MagicINFO 9 Server—a CMS used to manage and remotely control digital signage displays. As of early May 2025, Arctic Wolf has observed exploitation in the wild of CVE-2024-7399 in Samsung MagicINFO 9 Server—a content management system (CMS) used to manage and remotely control digital signage displays. The vulnerability allows for arbitrary file writing by unauthenticated users, and may ultimately lead to remote code execution when the vulnerability is used to write specially crafted JavaServer Pages (JSP) files. This high-severity vulnerability had originally been made public by Samsung in August 2024 following responsible disclosure by security researchers, with no exploitation reported at the time. On April 30, 2025, a new research article was published along with technical details and a proof-of-concept (PoC) exploit. Exploitation was then observed within days of that publication. Given the low barrier to exploitation and the availability of a public PoC, threat actors are likely to continue targeting this vulnerability. Arctic Wolf will continue to monitor for malicious post-compromise activities related to this vulnerability, and will alert Managed Detection and Response customers as required when malicious activities are observed.

#arcticwolf #EN #2025 #vulnerability #CVE-2024-7399 #Samsung #MagicINFO #9 #Server

·arcticwolf.com·May 5, 2025

CVE-2024-7399

Security Researchers Warn a Widely Used Open Source Tool Poses a 'Persistent' Risk to the US

The open source software easyjson is used by the US government and American companies. But its ties to Russia’s VK, whose CEO has been sanctioned, have researchers sounding the alarm. Security researchers warn that a popular open source tool maintained by Russian developers could pose significant risks to US national security. Key Points: The open source tool easyjson is linked to VK Group, a company run by a sanctioned Russian executive. easyjson is widely used in the US across various critical sectors including defense, finance, and healthcare. * Concerns are heightened due to the potential for data theft and cyberattacks stemming from this software. *Recent findings from cybersecurity researchers at Hunted Labs indicate that easyjson, a code serialization tool for the Go programming language, is at the center of a national security alert. This tool, which has been integrated into multiple sectors such as the US Department of Defense, is maintained by a group of Russian developers linked to VK Group, led by Vladimir Kiriyenko. While the complete codebase appears secure, the geopolitical context surrounding its management raises substantial concerns about the potential risks involved. The significance of easyjson cannot be overstated, as it serves as a foundational element within the cloud-native ecosystem, critical for operations across various platforms. With connections to a sanctioned CEO and the broader backdrop of Russian state-backed cyberattacks, the fear is that easyjson could be manipulated to conduct espionage or potentially compromise critical infrastructures. Such capabilities underscore the pressing need for independent evaluations and potential reevaluations of software supply chains, particularly when foreign entities are involved.

#wired #EN #2025 #russia #US #easyjson #national-security #vulnerabilities #open-source #hacking

·wired.com·May 5, 2025

Security Researchers Warn a Widely Used Open Source Tool Poses a 'Persistent' Risk to the US

CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation CVE-2025-3248 Langflow Missing Authentication Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

#cisa #EN #KEV #2025 #CVE-2025-3248 #Langflow #Missing #Authentication #Vulnerability

·cisa.gov·May 5, 2025

CISA Adds One Known Exploited Vulnerability to Catalog

DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists

DragonForce ransomware group is targeting major UK retailers. Learn about this evolving threat and what steps can be taken to mitigate risk. In recent weeks, the DragonForce ransomware group has been targeting UK retailers in a series of coordinated attacks causing major service disruptions. Prominent retailers such as Harrods, Marks and Spencer, and the Co-Op have all reported ongoing incidents affecting payment systems, inventory, payroll and other critical business functions. DragonForce has previously been attributed for a number of notable cyber incidents including attacks on Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola (Singapore), the Ohio State Lottery, and Yakult Australia. In this post, we offer a high-level overview of the DragonForce group, discuss its targeting, initial access methods, and payloads. We further provide a comprehensive list of indicators and defensive recommendations to help security teams and threat hunters better protect their organizations. Background DragonForce ransomware operations emerged in August 2023, primarily out of Malaysia (DragonForce Malaysia). The group originally positioned itself as a Pro-Palestine hacktivist-style operation; however, over time their goals have shifted and expanded. The modern-day operation is focused on financial gain and extortion although the operation still targets government entities, making it something of a hybrid actor, both politically aligned and profit-motivated. The group operates a multi-extortion model, with victims threatened with data leakage via the group’s data leak sites, alongside reputational damage. Recent DragonForce victims have included government institutions, commercial enterprises, and organizations aligned with specific political causes. The group is also known to heavily target law firms and medical practices. Notably, the group has targeted numerous entities in Israel, India, Saudi Arabia, and more recently several retail outlets in the United Kingdom. Some components of the UK retail attacks have been attributed to an individual affiliated with the loose threat actor collective ‘The Com’, with claims that members are leveraging DragonForce ransomware. Our assessment indicates that the affiliate in question exhibits behavioral and operational characteristics consistent with those previously associated with The Com. However, due to the lack of strong technical evidence and shifting boundaries of The Com, that attribution remains inconclusive and subject to further analysis.

#sentinelone #EN #2025 #DragonForce #Ransomware #Gang #analysis

·sentinelone.com·May 5, 2025

DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists

Backdoor found in popular ecommerce components

Multiple vendors were hacked in a coordinated supply chain attack, Sansec found 21 applications with the same backdoor. Curiously, the malware was injected 6 years ago, but came to life this week as attackers took full control of ecommerce servers. Sansec estimates that between 500 and 1000 stores are running backdoored software. Hundreds of stores, including a $40 billion multinational, are running backdoored versions of popular ecommerce software. We found that the backdoor is actively used since at least April 20th. Sansec identified these backdoors in the following packages which were published between 2019 and 2022. Vendor Package Tigren Ajaxsuite Tigren Ajaxcart Tigren Ajaxlogin Tigren Ajaxcompare Tigren Ajaxwishlist Tigren MultiCOD Meetanshi ImageClean Meetanshi CookieNotice Meetanshi Flatshipping Meetanshi FacebookChat Meetanshi CurrencySwitcher Meetanshi DeferJS MGS Lookbook MGS StoreLocator MGS Brand MGS GDPR MGS Portfolio MGS Popup MGS DeliveryTime MGS ProductTabs MGS Blog We established that Tigren, Magesolution (MGS) and Meetanshi servers have been breached and that attackers were able to inject backdoors on their download servers. This hack is called a Supply Chain Attack, which is one of the worst types. By hacking these vendors, the attacker gained access to all of their customers' stores. And by proxy, to all of the customers that visit these stores. We also found a backdoored version of the Weltpixel GoogleTagManager extension, but we have not been able to establish whether Weltpixel or these particular stores got compromised.

#sansec #EN #2025 #Backdoor #Magento #stores

·sansec.io·May 5, 2025

Backdoor found in popular ecommerce components

Exposing Darcula: a rare look behind the scenes of a global Phishing-as-a-Service operation

Research into a global phishing-as-a-service operation will take you through: Hundreds of thousands of victims spanning the globe A glimpse into the lifestyle of the operators Technical insight into the phishing toolkit The backend of a phishing threat actor operating at scale The scam industry has seen explosive growth over the past several years. The types of scams and methods used are constantly evolving as scammers adapt their techniques to continue their activities. They often capitalise on new technologies and target areas where our societies have yet to build mechanisms to protect themselves. This story begins in December 2023 when people all over the world – including a large portion of the Norwegian population - started to receive text messages about packages waiting for them at the post office. The messages would come in the form of an SMS, iMessage or RCS message. What we were witnessing was the rise of a scam technique known as smishing or SMS phishing. Such messages have one thing in common: they impersonate a brand that we trust to create a credible context for soliciting some kind of personal information, thus tricking us into willfully giving away our information. Some scams are easier to spot than others. Spelling errors, poor translations, strange numbers or links to sketchy domains often give them away. But even tell-tale signs can be easy to miss on a busy day. When a large number of people are targeted, some will be expecting a package. And the tactic is obviously working. If it wasn’t worth their while, the scammers wouldn’t have invested so much time, money and effort.

#mnemonic.io #EN #2025 #Darcula #Phishing-as-a-Service #operation #analysis

·mnemonic.io·May 5, 2025

Exposing Darcula: a rare look behind the scenes of a global Phishing-as-a-Service operation

I StealC You: Tracking the Rapid Changes To StealC

StealC V2 enhances information stealing, introduces RC4 encryption, and provides a new control panel for more targeted payloads. StealC is a popular information stealer and malware downloader that has been sold since January 2023. In March 2025, StealC version 2 (V2) was introduced with key updates, including a streamlined command-and-control (C2) communication protocol and the addition of RC4 encryption (in the latest variants). The malware’s payload delivery options have been expanded to include Microsoft Software Installer (MSI) packages and PowerShell scripts. A redesigned control panel provides an integrated builder that enables threat actors to customize payload delivery rules based on geolocation, hardware IDs (HWID), and installed software. Additional features include multi-monitor screenshot capture, a unified file grabber, and server-side brute-forcing for credentials. This blog post focuses on the recent changes in StealC V2, describing the improvements in payload delivery, encryption, control panel functionality, and the updated communication protocol. Key Takeaways StealC V2, introduced in March 2025, utilizes a JSON-based network protocol with RC4 encryption implemented in recent variants. StealC V2 now supports loader options that can deliver Microsoft Software Installer (MSI) packages, and PowerShell scripts. The redesigned control panel includes an embedded builder that allows operators to customize payload rules and bot responses based on geolocation, HWID, and installed software. StealC V2 includes multi-monitor screenshot capture and a unified file grabber that targets crypto wallets, gaming applications, instant messengers, email clients, VPNs, and browsers. In addition, StealC V2 supports server-side brute-forcing capabilities for credential harvesting. * ThreatLabz has observed StealC V2 being deployed via Amadey, and conversely, it being used to distribute StealC V2.

#zscaler #EN #2025 #StealC #analysis #Changes #V2 #Information-Stealer

·zscaler.com·May 5, 2025

I StealC You: Tracking the Rapid Changes To StealC

macOS Vulnerabilities: A Year of Security Research at Kandji

Kandji researchers uncovered and disclosed key macOS vulnerabilities over the past year. Learn how we protect customers through detection and patching. When we discover weaknesses before attackers do, everyone wins. History has shown that vulnerabilities like Gatekeeper bypass and TCC bypass zero-days don't remain theoretical for long—both of these recent vulnerabilities were exploited in the wild by macOS malware. By investing heavily in new security research, we're helping strengthen macOS for everyone. Once reported to Apple, the fix for these vulnerabilities is not always obvious. Depending on the complexity, it can take a few months to over a year, especially if it requires major architectural changes to the operating system. Apple’s vulnerability disclosure program has been responsive and effective. Of course, we don't just report issues and walk away. We ensure our products can detect these vulnerabilities and protect our customers from potential exploitation while waiting for official patches.

#kandji #EN #2025 #macOS #Vulnerabilities #research

·kandji.io·May 5, 2025

macOS Vulnerabilities: A Year of Security Research at Kandji

The Signal Clone the Trump Admin Uses Was Hacked

TeleMessage, a company that makes a modified version of Signal that archives messages for government agencies, was hacked. A hacker has breached and stolen customer data from TeleMessage, an obscure Israeli company that sells modified versions of Signal and other messaging apps to the U.S. government to archive messages, 404 Media has learned. The data stolen by the hacker contains the contents of some direct messages and group chats sent using its Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat. TeleMessage was recently the center of a wave of media coverage after Mike Waltz accidentally revealed he used the tool in a cabinet meeting with President Trump. The hack shows that an app gathering messages of the highest ranking officials in the government—Waltz’s chats on the app include recipients that appear to be Marco Rubio, Tulsi Gabbard, and JD Vance—contained serious vulnerabilities that allowed a hacker to trivially access the archived chats of some people who used the same tool. The hacker has not obtained the messages of cabinet members, Waltz, and people he spoke to, but the hack shows that the archived chat logs are not end-to-end encrypted between the modified version of the messaging app and the ultimate archive destination controlled by the TeleMessage customer.

#micahflee #EN #2025 #Signal #Clone #Hacked #government #Waltz #US #data-leak

·micahflee.com·May 5, 2025

The Signal Clone the Trump Admin Uses Was Hacked

MCP Prompt Injection: Not Just For Evil

MCP tools are implicated in several new attack techniques. Here's a look at how they can be manipulated for good, such as logging tool usage and filtering unauthorized commands. Over the last few months, there has been a lot of activity in the Model Context Protocol (MCP) space, both in terms of adoption as well as security. Developed by Anthropic, MCP has been rapidly gaining traction across the AI ecosystem. MCP allows Large Language Models (LLMs) to interface with tools and for those interfaces to be rapidly created. MCP tools allow for the rapid development of “agentic” systems, or AI systems that autonomously perform tasks. Beyond adoption, new attack techniques have been shown to allow prompt injection via MCP tool descriptions and responses, MCP tool poisoning, rug pulls and more. Prompt Injection is a weakness in LLMs that can be used to elicit unintended behavior, circumvent safeguards and produce potentially malicious responses. Prompt injection occurs when an attacker instructs the LLM to disregard other rules and do the attacker’s bidding. In this blog, I show how to use techniques similar to prompt injection to change the LLM’s interaction with MCP tools. Anyone conducting MCP research may find these techniques useful.

#tenable #EN #2025 #MCP #Prompt-Injection #LLM #LLMs #technique #interface #vulnerability #research

·tenable.com·May 4, 2025

MCP Prompt Injection: Not Just For Evil

Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries | SentinelOne

This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves. In recent months, SentinelOne has observed and defended against a spectrum of attacks from financially motivated crimeware to tailored campaigns by advanced nation-state actors. These incidents were real intrusion attempts against a U.S.-based cybersecurity company by adversaries, but incidents such as these are neither new nor unique to SentinelOne. Recent adversaries have included: DPRK IT workers posing as job applicants ransomware operators probing for ways to access/abuse our platform * Chinese state-sponsored actors targeting organizations aligned with our business and customer base This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves.

#sentinelone #EN #2025 #report #PurpleHaze #China #DPRK

·sentinelone.com·May 4, 2025

Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries | SentinelOne

Eight countries launch Operational Taskforce to tackle violence-as-a-service

Europol has launched a new Operational Taskforce (OTF) to tackle the rising trend of violence-as-a-service and the recruitment of young perpetrators into serious and organised crime. Known as OTF GRIMM, the Taskforce, led by Sweden, brings together law enforcement authorities from Belgium, Denmark, Finland, France, Germany, the Netherlands, and Norway, with Europol providing operational support, threat analysis and coordination. The exploitation of young perpetrators to carry out criminal acts has emerged as a fast-evolving tactic used by organised crime. This trend was underlined in the European Union Serious and Organised Crime Threat Assessment 2025 (EU-SOCTA), which identified the deliberate use of youngsters as a way to avoid detection and prosecution. Violence-as-a-service refers to the outsourcing of violent acts to criminal service providers — often involving the use of young perpetrators to carry out threats, assaults, or killings for a fee. Investigations show that these acts are often orchestrated remotely, with young people recruited and instructed online. There is a clear demand from the criminal underworld for youngsters willing to carry out violent tasks — and a supply of vulnerable young people being groomed or coerced into doing so.

#europol #EN #2025 #EU #EU-SOCTA #violence-as-a-service #Operational #Taskforce

·europol.europa.eu·May 4, 2025

Eight countries launch Operational Taskforce to tackle violence-as-a-service

Verisource Services Increases Data Breach Victim Count to 4 Million

Verisource Services, an employee benefits administration service provider, has determined that a previously announced data breach was far worse than initially thought and has affected up to 4 million individuals. The Houston, Texas-based company detected a hacking incident on February 28, 2024, that disrupted access to some of its systems. Third-party cybersecurity and incident response experts were engaged to investigate the incident and determine the nature and scope of the unauthorized activity. The forensic investigation confirmed hackers had access to its network and exfiltrated files on February 27, 2024. At the time of the initial announcement, Verisource Services said names, dates of birth, genders, and Social Security numbers had been stolen. The affected individuals included employees and dependents of clients who used its services, which include HR outsourcing, benefits enrollment, billing, and administrative services. The data breach was initially reported as affecting 1,382 individuals, but as the investigation progressed, it became clear that the breach was worse than initially thought. In August 2024, the data breach was reported to the HHS’ Office for Civil Rights (OCR) as involving the protected health information of 112,726 individuals. The most recent notification to the Maine Attorney General indicates up to 4 million individuals have been affected, a sizeable increase from previous estimates. The OCR breach portal still lists the incident as affecting 112,726 patients and plan members of its HIPAA-regulated entity clients, although that total may well be updated in the coming days. Verisource Services explained in the breach notice that the data review was not completed until April 17, 2025, almost 14 months after the security incident was detected. Verisource Services reported the security incident to the Federal Bureau of Investigation, and several additional security measures have been implemented to improve its security posture. Notification letters had previously been sent to some affected individuals; however, the bulk of the notification letters have only recently been mailed. Verisource Services said complimentary credit monitoring and identity theft protection services have been offered to the affected individuals, who will also be protected with a $1,000,000 identity theft insurance policy.

#hipaajournal #EN #2025 #Verisource-Services #US #forensic #investigation #Data-Breach #Data-Leak

·hipaajournal.com·May 4, 2025

Verisource Services Increases Data Breach Victim Count to 4 Million

Hitachi Vantara takes servers offline after Akira ransomware attack

Hitachi Vantara, a subsidiary of Japanese multinational conglomerate Hitachi, was forced to take servers offline over the weekend to contain an Akira ransomware attack. The company provides data storage, infrastructure systems, cloud management, and ransomware recovery services to government entities and some of the world's biggest brands, including BMW, Telefónica, T-Mobile, and China Telecom. In a statement shared with BleepingComputer, Hitachi Vantara confirmed the ransomware attack, saying it hired external cybersecurity experts to investigate the incident's impact and is now working on getting all affected systems online. "On April 26, 2025, Hitachi Vantara experienced a ransomware incident that has resulted in a disruption to some of our systems," Hitachi Vantara told BleepingComputer. "Upon detecting suspicious activity, we immediately launched our incident response protocols and engaged third-party subject matter experts to support our investigation and remediation process. Additionally, we proactively took our servers offline in order to contain the incident. "We are working as quickly as possible with our third-party subject matter experts to remediate this incident, continue to support our customers, and bring our systems back online in a secure manner. We thank our customers and partners for their patience and flexibility during this time."

#bleepingcomputer #EN #2025 #Akira #Cyberattack #Hitachi #Hitachi-Vantara #Ransomware

·bleepingcomputer.com·May 4, 2025

Hitachi Vantara takes servers offline after Akira ransomware attack

NCSC statement: Incident impacting retailers

Following news of cyber incidents impacting UK retailers, the NCSC can confirm it is working with organisations affected. NCSC CEO Dr Richard Horne said: “The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers and the public. “The NCSC continues to work closely with organisations that have reported incidents to us to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture. “These incidents should act as a wake-up call to all organisations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.”

#ncsc.gov.uk #EN #2025 #UK #cyberattacks #NCSC #incidents #retailers #wake-up #call

·ncsc.gov.uk·May 4, 2025

NCSC statement: Incident impacting retailers

Emera and Nova Scotia Power Responding to Cybersecurity Incident

April 28, 2025 HALIFAX, Nova Scotia--(BUSINESS WIRE)-- Emera Inc. and Nova Scotia Power today announced, on April 25, 2025 they discovered and are actively responding to a cybersecurity incident involving unauthorized access into certain parts of its Canadian network and servers supporting portions of its business applications. Immediately following detection of the external threat, the companies activated their incident response and business continuity protocols, engaged leading third-party cybersecurity experts, and took actions to contain and isolate the affected servers and prevent further intrusion. Law enforcement officials have been notified. There remains no disruption to any of our Canadian physical operations including at Nova Scotia Power’s generation, transmission and distribution facilities, the Maritime Link or the Brunswick Pipeline, and the incident has not impacted the utility’s ability to safely and reliably serve customers in Nova Scotia. There has been no impact to Emera’s U.S. or Caribbean utilities. Emera will release its Q1 Financial Statements and Management Disclosure and Analysis on May 8, 2025, as planned. At this time, the incident is not expected to have a material impact on the financial performance of the business. Our IT team is working diligently with cyber security experts to bring the affected portions of our IT system back online.

#emera #EN #2025 #Electric #Utility #Cyberattack #Canada #unauthorized #access

·investors.emera.com·May 4, 2025

Emera and Nova Scotia Power Responding to Cybersecurity Incident

DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door

The individuals operating under the DragonForce banner and attacking UK high street retailers are using social engineering for entry. I think it’s in the public interest to break down what is happening. The attacks on Marks and Spencer, Co-op and Harrods are linked. DragonForce’s lovely PR team claim more are to come. Defenders should urgently make sure they have read the CISA briefs on Scattered Spider and LAPSUS$ as it’s a repeat of the 2022–2023 activity which saw breaches at Nvidia, Samsung, Rockstar and Microsoft amongst many others. More info below. I am not saying it is Scatter Spider; Scattered Spider has become a dumping ground for e-crime groups anyway. The point is they — the threat actor — are entering using the front door, via the helpdesk to get MFA access — those are very good guides from defenders about what to do, links below. Source: Cybersecurity and Infrastructure Security Agency DragonForce is a white label cartel operation housing anybody who wants to do e-crime. Some of them are pretty good at e-crime. While organisations are away at RSA thinking about quantum AI cyber mega threats — the harsh reality is most organisations do not have the foundations in place to do be worrying about those kind of things. Generative AI is porn for execs and growth investment — threat actors are very aware that now is the time to launch attacks, not with GenAI, but foundational issues. Because nobody is paying attention. Once they get access, they are living off the land — using Teams, Office search to find documentation, the works. Forget APTs, now you have the real threat: Advanced Persistent Teenagers, who have realised the way to evade most large cyber programmes is to cosplay as employees. Last time this happened, the MET Police ended up arresting a few under-18 UK nationals causing incidents to largely drop off.

#doublepulsar #EN #2025 #UK #DragonForce #Ransomware #Cartel #attacks

·doublepulsar.com·May 3, 2025

DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door

Ransomware attacks on food and agriculture industry have doubled in 2025 | The Record from Recorded Future News

The uptick began in the fourth quarter of 2024 and continued into 2025, with the increases largely attributed to Clop’s exploitation of a popular file sharing service. Jonathan Braley, director of cyber information sharing organization Food and Ag-ISAC, spoke at the RSA Conference on Thursday and warned of not only the increase in ransomware incidents but the continued lack of visibility into the full scope of the problem. “A lot of it never gets reported, so a ransomware attack happens and we never get the full details,” he told Recorded Future News on the sidelines of the conference. “I wish companies would be more open in talking about it and sharing ‘Here's what they use, here's how we fixed it,’ so the rest of us can prevent that.” The uptick began in the fourth quarter of 2024 and continued into 2025, with the increases largely attributed to Clop’s exploitation of a popular file sharing service. But Braley noted that even when they took out the attacks attributed to Clop, groups like RansomHub and Akira were still continuing to attack the food industry relentlessly. The Food and Ag-ISAC obtained its numbers through a combination of open-source sites, dark web monitoring, member input and information sharing between National Council of ISAC members. The industry saw 31 attacks in January and 35 in February before a dip to 18 attacks in March. The 84 attacks seen from January to March were more than double the number seen in Q1 2024.

#therecord.media #EN #2025 #Ransomware #attacks #Clop #agriculture #industry

·therecord.media·May 3, 2025

Ransomware attacks on food and agriculture industry have doubled in 2025 | The Record from Recorded Future News

SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475)

Another day, another edge device being targeted - it’s a typical Thursday! In today’s blog post, we’re excited to share our previously private analysis of the now exploited in-the-wild N-day vulnerabilities affecting SonicWall’s SMA100 appliance. Over the last few months, our client base has fed us rumours of in-the-wild exploitation of SonicWall systems, and thus, this topic has had our attention for a while. Specifically, today, we’re going to be analyzing and reproducing: CVE-2024-38475 - Apache HTTP Pre-Authentication Arbitrary File Read Discovered by Orange Tsai Although this is a CVE attached to the Apache HTTP Server, it is important to note that due to how CVEs are now assigned, a seperate CVE will not be assigned for SonicWall's usage of the vulnerable version. This makes the situation confusing for those responding to CISA's KEV listing - CISA is referring to the two vulnerabilities in combination being used to attack SonicWall devices. You can see this evidenced in SonicWall's updated PSIRT advisory: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018 CVE-2023-44221 - Post-Authentication Command Injection Discovered by "Wenjie Zhong (H4lo) Webin lab of DBappSecurity Co., Ltd” As of the day this research was published, CISA had added these vulnerabilities to the Known Exploited Vulnerabilities list. Do you know the fun things about these posts? We can copy text from previous posts about edge devices:

#watchtowr #EN #2025 #SonicBoom #CVE-2024-38475 #CVE-2023-44221 #SonicWall #SMA #analysis

·labs.watchtowr.com·May 2, 2025

SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475)

Harrods is latest retailer to be hit by cyber-attack | Harrods | The Guardian

Luxury department store is forced to shut some systems but website and shops continue to operate. Harrods has been hit by a cyber-attack, just days after Marks & Spencer and the Co-op were targeted. The luxury department store is understood to have been forced to shut down some systems, but said its website and all its stores, including the Knightsbridge flagship, H beauty and airport outlets, continued to operate. It is understood the retailer first realised it was being targeted earlier this week. Harrods said in a statement: “We recently experienced attempts to gain unauthorised access to some of our systems. Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites today.” The retailer said it was not asking customers to take any action, indicating that it did not suspect data had been accessed. It added: “We will continue to provide updates as necessary.”

#theguardian #EN #2025 #Harrods #cyber-attack #luxury #incident

·theguardian.com·May 2, 2025

Harrods is latest retailer to be hit by cyber-attack | Harrods | The Guardian

Ransom-War and Russian Political Culture: Trust, Corruption, and Putin's Zero-Sum Sovereignty

Recent Western government revelations about EvilCorp flesh out how Russian ransomware actors and the Russian government use each other to navigate a world they perceive as dangerous. Note added April 30 2025: Originally posted October 16, 2024 in a very different global geopolitical context, this analysis remains relevant today. Subsequent revelations, especially a set of leaked messages from the Black Basta group – a successor to the Conti group – reaffirm the complexity of relations between Russian ransomware actors and security officials. (The Natto Team discussed the value of leaks here). The Black Basta leaks show that group's members as: Receiving Protection: Black Basta chief “Tramp” – who chose as his moniker the Russian version of the current US president’s name – boasted of receiving high-level help from Russian authorities after Armenian officials arrested him in June 2024. But Still Vulnerable: Tramp speculated in July 2024 that someone from their circle had snitched on him, “tempted” by the rewards the US State Department has offered for information on Tramp. He also received tipoffs from criminal acquaintances and from “my law enforcement people,” telling him that Russian officials faced international pressure to crack down on Russian cybercriminals: “those who get paid by Interpol here will start making our lives hell.” In September 2024, Black Basta coder “YY” told Tramp that Russian officials had raided YY's home, impounded his car, and “marinated” him in custody for a time. Under Pressure to Work for the Russian State: In a November 14 2022 chat, “Tramp” said, “I have guys in Lubyanka [FSB headquarters] and the GRU [military intelligence agency] – I have been “feeding” them for a long time. They only want to take people on to work for them. They won’t even talk about [prison] sentences or anything. You can go in to work every day at 8 am and leave at 6 pm, just like in a ‘white’ [legitimate] job.” Tracking Geopolitics: In May 2024, after Black Basta paralyzed IT systems at US-based Ascension Healthcare, Black Basta ransom negotiator “Tinker” pondered the group's extortion strategy in light of US election-year politics. He mused that, if anyone died as a result of the group’s attack on a healthcare entity – particularly a Christian hospital system like Ascension – US citizens would demand that their government do whatever it took to induce Russia to crack down on the criminals. Tinker speculated that the Joe Biden administration might make serious concessions to Russia, such as reducing military aid to Ukraine, in return for Russia’s cracking down on the criminals. For the Natto Team’s own assessment of Russian-US “ransomware diplomacy,” see here and here. It will be interesting to observe how Russian cybercriminals interpret recent developments in US-Russian relations.

#nattothoughts #EN #2025 #Russia #leaks #Black #Black-Basta #FSB #Tramp

·nattothoughts.substack.com·May 2, 2025

Ransom-War and Russian Political Culture: Trust, Corruption, and Putin's Zero-Sum Sovereignty

Active Subscription Scam Campaigns Flooding the Internet

Bitdefender researchers have uncovered a surge in subscription scams, both in scale and sophistication, spurred by a massive campaign involving hundreds of fraudulent websites. Incredibly convincing websites, selling everything from shoes and clothes to diverse electronics, are tricking people into paying monthly subscriptions and willingly give away credit card data. Many of the websites are linked to a single address in Cyprus, likely home to an offshore company. The scam encompassed more than 200 different websites, including many that are still up and running. Criminals create Facebook pages and take out full ads to promote the already classic "mystery box" scam and other variants. The "mystery box" scam has evolved and now includes almost hidden recurring payments, alongside links to websites to various shops. Facebook is used as the main platform for these new and enhanced mystery box scams * Content creators are being impersonated to promote mystery boxes or fraudster create new pages that look a lot like the originals.

#bitdefender #EN #2025 #Active #Subscription #Scam #Campaigns #Facebook #impersonated

·bitdefender.com·May 2, 2025

Active Subscription Scam Campaigns Flooding the Internet

Ledger scammers are sending letters to steal seed phrases

Ledger has warned that scammers are mailing letters that appear to be from the company to users of its hardware wallets in an attempt to swipe crypto. Scammers are mailing physical letters to the owners of Ledger crypto hardware wallets asking them to validate their private seed phrases in a bid to access the wallets to clean them out. In an April 29 X post, tech commentator Jacob Canfield shared a scam letter sent to his home via post that appeared to be from Ledger claiming he needed to immediately perform a “critical security update” on his device. The letter, which uses Ledger’s logo, business address, and a reference number to feign legitimacy, asks to scan a QR code and enter the wallet’s private recovery phrase under the guise of validating the device.

#cointelegraph #EN #2025 #scam #Ledger #letters #physical-letters #hardware #wallets

·cointelegraph.com·May 2, 2025

Ledger scammers are sending letters to steal seed phrases

Cell C confirms data breach, warns users to remain vigilant

Cell C, South Africa’s fourth largest mobile network operator, said on Wednesday morning that RansomHouse had unlawfully disclosed data after a security breach for which RansomHouse is claiming responsibility. The operator, with 7.7 million subscribers as of February, was attacked in early November 2024 and RansomHouse acquired 2TB of data, which has been corroborated by files posted on the dark web, according to security company PFortner. Data accessed included: Full names and contact details (email, phone numbers) ID numbers Banking details (if stored for billing purposes) Driver’s License Numbers Medical Records (if supplied for closure of accounts on death of a family member) Passport details It is not clear how many people were affected.

#iol.co.za #EN #2025 #operator #ransomware #South-Africa #RansomHouse

·iol.co.za·May 2, 2025

Cell C confirms data breach, warns users to remain vigilant

Grafana security update: no customer impact from GitHub workflow vulnerability

On April 26, an unauthorized user exploited a vulnerability with a GitHub workflow to gain unauthorized access to tokens, all of which have now been invalidated. At this time, our investigation has found no evidence of code modifications, unauthorized access to production systems, exposure of customer data, or access to personal information.

#grafana #en #2025 #incident #investigation #vulnerability #GitHub #workflow #unauthorized #access #tokens

·grafana.com·May 2, 2025

Grafana security update: no customer impact from GitHub workflow vulnerability

Using Trusted Protocols Against You: Gmail as a C2 Mechanism...

Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. The threat actor’s email is the only potential clue as to their motivation, but once the tunnel is created, the threat actor can exfiltrate data or execute commands that we may not know about through these packages. These seven packages: Coffin-Codes-Pro Coffin-Codes-NET2 Coffin-Codes-NET Coffin-Codes-2022 Coffin2022 Coffin-Grave cfc-bsb use Gmail, making these attempts less likely to be flagged by firewalls and endpoint detection systems since SMTP is commonly treated as legitimate traffic. These packages have since been removed from the Python Package Index (PyPI).

#socket.dev #EN #2025 #supply-chain-attack #PyPI #Python #packages #malicious #Gmail #tunnel

·socket.dev·May 2, 2025

Using Trusted Protocols Against You: Gmail as a C2 Mechanism...