This blog post covers the full details of EntrySign, the AMD Zen microcode signature validation vulnerability recently discovered by the Google Security team.
Havoc: SharePoint with Microsoft Graph API turns into FUD C2
ForitGuard Lab reveals a modified Havoc deployed by a ClickFix phishing campaign. The threat actor hides each stage behind SharePoint and also uses it as a C2.
New DDoS Botnet Discovered: Over 30,000 Hacked Devices, Majority of Observed Activity Traced to Iran
A newly discovered global cyber threat is rapidly expanding, infecting tens of thousands of internet-connected devices to launch powerful cyberattacks.
Guerre en Ukraine : trois années d’opérations informationnelles russes
Ce rapport présente sous la forme d’une synthèse les principaux modes opératoires informationnels observés depuis trois ans, dont la majeure partie est apparue en corollaire de la guerre d’agression menée par la Russie en Ukraine.
Doppelgänger: New disinformation campaigns spreading on social media through Russian networks
This report presents: The intrusion set commonly known as Doppelgänger continues to spread disinformation narratives on social medias such as X, through bot accounts specifically made for such campaigns. As for its previous campaigns, Doppelgänger pushes its anti-western narrative on pages spoofing the medias of the targeted countries, such as France, Germany, Italy, Ukraine, and Israel. The disinformation campaign aims to manipulate public opinion by exploiting sensitive issues and exacerbating social and geopolitical divisions. The linguistic characteristics of the articles suggest that some of them were translated from Russian or edited by Russian natives, reinforcing the hypothesis that they are of Russian origin. In order to bypass both manual and automatic moderation on social media platforms, Doppelgänger continues to leverage Kehr[.]io, a redirection provider advertised on Russian speaking underground forums. This service hosts its infrastructure on IPs announced by English companies managed by Ukrainian and Belarusian individuals that we could connect with a high level of confidence to bulletproof network hosting solutions. * The disinformation campaigns remain ongoing.
Zapier says someone broke into its code repositories and may have accessed customer data
Zapier is notifying customers about a “security incident,” which involved an unauthorized user gaining access to the company’s code repositories and “certain custom information.”
Le plus grave incident de sécurité jamais connu par la Sûreté de l'État: "Des pirates informatiques chinois ont pu rentrer dans ce logiciel"
La Sûreté de l'État est touchée par un grave incident de sécurité. Des pirates chinois ont détourné des courriels pendant deux ans, compromettant potentiellement des données sensibles du personnel.
La série noire continue pour Ruag et l’armée suisse, à la suite d’une cyberattaque massive - Le Temps
A travers la caisse de compensation de Swissmem, la faîtière de l’industrie des machines et des technologies, les données des employés de 180 firmes travaillant pour la Confédération et l’armée ont été mises en ligne. Une faille de sécurité majeure pour la Suisse
Le PFPDT guide les responsables du traitement quant à leur devoir d’informer des violations de la sécurité des données
La sécurité des données est un équilibre délicat, où chaque faille peut laisser entrer des risques menaçant l’intégrité, la disponibilité et la confidentialité des informations. Lorsqu’une violation de la sécurité se produit, le droit impose à certaines conditions une direction : celle de l’alerte et de la transparence. Pour orienter les responsables du traitement, le Préposé fédéral à la protection des données (PFPDT) offre un guide visant à éclairer le devoir d’annonce des violations de la sécurité des données.
Fremdzugriff auf ein E-Mail-Konto der kantonalen Verwaltung Appenzell I.Rh. — Appenzell Innerrhoden
Unbekannte sind in das Mailkonto von Säckelmeister Ruedi Eberle eingedrungen. Dank des Sicherheitssystems konnte eine Weiterverbreitung rasch unterbunden werden. Nach aktuellem Stand sind weder Daten verloren gegangen noch weitere Konten der kantonalen Verwaltung betroffen.
Exclusive: Hegseth orders Cyber Command to stand down on Russia planning
The secretary of Defense has ordered U.S. Cyber Command to stand down from all planning against Russia, including offensive digital actions, sources tell Recorded Future News.
Ransomware : sur la piste trouble de l’un des leaders de Black Basta
Les échanges internes au groupe Black Basta divulgués la semaine dernière offrent une nouvelle opportunité d’enquêter sur l’un de ses leaders : tramp. Il pourrait avoir été arrêté en Arménie en juin 2024, avant d’être relâché.
Key Takeaways The intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, ultimately leading to the deployment of LockBit ransomware across the environment.…
(EncryptHub) is a threat actor that has come to the forefront with highly sophisticated spear-phishing attacks since 26 June 2024. In the attacks it has carried out, it exhibits a different operational strategy by carrying out all the processes necessary to obtain initial access through personalized SMS (smishing) or by calling the person directly (vishing) and tricking the victim into installing remote monitoring and management (RMM) software. When investigating the attacks carried out by the threat actor, it is evident that their social engineering techniques and persuasion skills are highly effective. In the first phase, the actor usually creates a phishing site that targets the organization to obtain the victim's VPN credentials. The victim is then called and asked to enter the victim's details into the phishing site for technical issues, posing as an IT team or helpdesk. If the attack targeting the victim is not a call but a direct SMS text message, a fake Microsoft Teams link is used to convince the victim. After gaining access from the victim, the team runs various stealers on the compromised machine using the PowerShell
Orange Group confirms breach after hacker leaks company documents
A hacker claims to have stolen thousands of internal documents with user records and employee data after breaching the systems of Orange Group, a leading French telecommunications operator and digital service provider. #Breach #Computer #Data #Email #Extortion #InfoSec #Jira #Leak #Orange #Ransom #S.A. #Security
Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger
Google Threat Intelligence Group (GTIG) has observed increasing efforts from several Russia state-aligned threat actors to compromise Signal Messenger accounts used by individuals of interest to Russia's intelligence services. While this emerging operational interest has likely been sparked by wartime demands to gain access to sensitive government and military communications in the context of Russia's re-invasion of Ukraine, we anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war.
Lumma Stealer Chronicles: PDF-themed Campaign Using Compromised Educational Institutions' Infrastructure
The Lumma Stealer malware campaign is exploiting compromised educational institutions to distribute malicious LNK files disguised as PDFs, targeting industries like finance, healthcare, technology, and media. Once executed, these files initiate a stealthy multi-stage infection process, allowing cybercriminals to steal passwords, browser data, and cryptocurrency wallets. With sophisticated evasion techniques, including using Steam profiles for command-and-control operations, this malware-as-a-service (MaaS) threat highlights the urgent need for robust cybersecurity defenses. Stay vigilant against deceptive phishing tactics to protect sensitive information from cyber exploitation.
An Update on Fake Updates: Two New Actors, and New Mac Malware
Key findings Proofpoint identified and named two new cybercriminal threat actors operating components of web inject campaigns, TA2726 and TA2727. Proofpoint identified a new Proofpoint identified and named two new cybercriminal threat actors operating components of web inject campaigns, TA2726 and TA2727. Proofpoint identified a new MacOS malware delivered via web inject campaigns that our researchers called FrigidStealer. * The web inject campaign landscape is increasing, with a variety of copycat threat actors conducting similar campaigns, which can make it difficult for analysts to track.
On February 21, 2025, at approximately 12:30 PM UTC , Bybit detected unauthorized activity within one of our Ethereum (ETH) Cold Wallets during a routine transfer process. The transfer was part of a scheduled move of ETH from our ETH Multisig Cold Wallet to our Hot Wallet. Unfortunately, the transaction was manipulated by a sophisticated attack that altered the smart contract logic and masked the signing interface, enabling the attacker to gain control of the ETH Cold Wallet. As a result, over 400,000 ETH and stETH worth more than $1.5 billion were transferred to an unidentified address.