An Italian journalist speaks about being targeted with Paragon spyware
As an undercover journalist covering Italian politics, Francesco Cancellato is used to reporting on scandals. But he never thought he would be part of the story.
cyberveille.decio.ch
CVE-2024-12356
On December 16, 2024, BeyondTrust published both an advisory and patches for CVE-2024-12356, a critical unauthenticated remote code execution (RCE) vulnerabili…
Dutch police say they took down 127 servers used by sanctioned hosting service | The Record from Recorded Future News
Police in the Netherlands say they seized 127 servers this week that were used by Zservers, a bulletproof hosting service that was the subject of international sanctions issued Tuesday.
Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication | Volexity
Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack campaigns were highly targeted and carried out in a variety of ways. The majority of these attacks originated via spear-phishing emails with different themes. In one case, the eventual breach began with highly tailored outreach via Signal.Through its investigations, Volexity discovered that Russian threat actors were impersonating a variety of individuals
RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Providers
Between December 2024 and January 2025, Recorded Future’s Insikt Group identified a campaign exploiting unpatched internet-facing Cisco network devices primarily associated with global telecommunications providers. Victim organizations included a United States-based affiliate of a United Kingdom-based telecommunications provider and a South African telecommunications provider. Insikt Group attributes this activity to the Chinese state-sponsored threat activity group tracked by Insikt Group as RedMike, which aligns with the Microsoft-named group Salt Typhoon. Using Recorded Future® Network Intelligence, Insikt Group observed RedMike target and exploit unpatched Cisco network devices vulnerable to CVE-2023-20198, a privilege escalation vulnerability found in the web user interface (UI) feature in Cisco IOS XE software, for initial access before exploiting an associated privilege escalation vulnerability, CVE-2023-20273, to gain root privileges. RedMike reconfigures the device, adding a generic routing encapsulation (GRE) tunnel for persistent access.
Cybercrime: A Multifaceted National Security Threat
Google Threat Intelligence Group discusses the current state of cybercrime, and why it must be considered a national security threat.
Microsoft Patch Tuesday, February 2025 Edition
Microsoft today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero-day flaws that are being actively exploited.
New Exploitation Surge: Attackers Target ThinkPHP and ownCloud Flaws at Scale | GreyNoise Blog
GreyNoise has detected a surge in exploitation attempts for two vulnerabilities—one flagged as a top target by government agencies and another flying under the radar despite real-world attacks. See the latest exploitation trends and why real-time intelligence is essential for risk management.
Fortinet discloses second firewall auth bypass patched in January
Fortinet has disclosed a second authentication bypass vulnerability that was fixed as part of a January 2025 update for FortiOS and FortiProxy devices.
Sky ECC encrypted service distributors arrested in Spain, Netherlands
Four distributors of the encrypted communications service Sky ECC, used extensively by criminals, were arrested in Spain and the Netherlands.
New UK sanctions target Russian cybercrime network
A key Russian cybercrime syndicate responsible for aiding merciless ransomware attacks around the world has been targeted by new UK sanctions.
THAI-SWISS-US OPERATION NETS HACKERS BEHIND 1,000+ CYBER ATTACKS
Thai police arrested four European hackers in Phuket who allegedly stole $16 million through ransomware attacks affecting over 1,000 victims worldwide. The suspects, wanted by Swiss and US authorities, were caught in coordinated raids across four locations. Officers from Cyber Crime Investigation Bureau, led by Police Lieutenant General Trairong Phiwphan, conducted “Operation PHOBOS AETOR” in Phuket on February 10, arresting four foreign hackers involved in ransomware attacks. The operation, coordinated with Immigration Police and Region 8 Police, raided four locations across Phuket....
Four alleged hackers arrested in Phuket for hacking 17 Swiss firms
Four alleged European hackers have been arrested in Phuket for deploying ransomware on the networks of 17 Swiss firms. The suspects are accused of causing significant damage and stealing $16 million in Bitcoins from 1,000 global victims.
8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur
The TL;DR is that this time, we ended up discovering ~150 Amazon S3 buckets that had previously been used across commercial and open source software products, governments, and infrastructure deployment/update pipelines - and then abandoned. Naturally, we registered them, just to see what would happen - “how many people are really trying to request software updates from S3 buckets that appear to have been abandoned months or even years ago?”, we naively thought to ourselves.
Go Module Mirror served backdoor to devs for 3+ years - Ars Technica
Supply chain attack targets developers using the Go programming language.
Spain arrests suspected hacker of US and Spanish military agencies
The Spanish police have arrested a suspected hacker in Alicante for allegedly conducting 40 cyberattacks targeting critical public and private organizations, including the Guardia Civil, the Ministry of Defense, NATO, the US Army, and various universities.
Casio Website Infected With Skimmer
A threat actor has infected the website of Casio UK and 16 other victims with a web skimmer that altered the payment flow to harvest and exfiltrate visitors’ information, web security provider Jscrambler reports.
British engineering firm IMI discloses breach, shares no details
British-based engineering firm IMI plc has disclosed a security breach after unknown attackers hacked into the company's systems.
Ransomware payments dropped 35% in 2024
Chainalysis says a combination of law enforcement actions and better defenses led to less money going out to ransomware actors.
Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2025-21293)
In September of 2024 while on a customer assigment I encountered the “Network Configuration Operators” group, a so called builtin group of Active Directory (default). As I had never heard of or encountered this group membership before, it sprung to eye immediately. Initially I tried to look up if it had any security implications, like its more known colleagues DNS Admins and Backup Operators, but to no avail. Surpisingly little came up about the group but I couldn’t help myself from probing further. This led me down the rabbithole of Registry Database access control lists and possibilities of weaponization, culminating with the discovery of CVE-2025-21293. Before we move along to the body of work, I have to give out a special thanks to Clément Labro, who initially did the heavy lifting of finding a way to weaponize performancecounters. (This will hopefully make more sense by the end of the article) and my colleagues at ReTest Security ApS, who have provided me with knowledge in the field and the oppertunity to put it to use.
CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
The ZDI team offers an analysis of how CVE-2025-0411, a zero-day vulnerability in 7-Zip was actively exploited to target Ukrainian organizations through spear-phishing and homoglyph attacks.
U.S. Government Disclosed 39 Zero-Day Vulnerabilities in 2023, Per First-Ever Report
In a first-of-its-kind report, the US government has revealed that it disclosed 39 zero-day software vulnerabilities to vendors or the public in 2023 for the purpose of getting the vulnerabilities patched or mitigated, as opposed to retaining them to use in hacking operations. It’s the first time the government has revealed specific numbers about its controversial Vulnerabilities Equities Process (VEP) — the process it uses to adjudicate decisions about whether zero-day vulnerabilities it discovers should be kept secret so law enforcement, intelligence agencies, and the military can exploit them in hacking operations or be disclosed to vendors to fix them. Zero-day vulnerabilities are security holes in software that are unknown to the software maker and are therefore unpatched at the time of discovery, making systems that use the software at risk of being hacked by anyone who discovers the flaw.
BSI analysis shows: Nextcloud server stored passwords in plain text | heise online
A code analysis by the BSI shows that two-factor authentication could be bypassed in Nextcloud Server. Passwords were also stored in plain text.
Arma Reforger And DayZ DDOS Attack Continues, Devs "Making Progress"
Bohemia Interactive has issued a statement in response to the Arma Reforger and DayZ DDOS attack.
Kimsuky hackers use new custom RDP Wrapper for remote access
The North Korean hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines.
Hackers target Taliban databases
Habib Mohammadi reports: A group of unidentified hackers has breached the Taliban’s databases, leaking documents from 21 ministries and government agencies, some of which appear to be classified, according to reports circulating online. The leaked files reportedly include documents from the Taliban-controlled ministries of finance, justice, foreign affairs, information and culture, telecommunications, and mining, as well as the Supreme Court and the Ministry for the Promotion of Virtue and Prevention of Vice. The hackers have published hundreds of these documents on a website called “Talibleaks.”
Deloitte to provide Rhode Island $5M for ransomware recovery
After a ransomware attack on the state's health and social services system, Deloitte is giving Rhode Island $5 million to help cover expenses.
Hackers Exploiting A Six-Year-Old IIS Vulnerability To Gain Remote Access
The eSentire Threat Response Unit (TRU) revealed that threat actors are actively exploiting a six-year-old IIS vulnerability.
Code injection attacks using publicly disclosed ASP.NET machine keys
Microsoft Threat Intelligence observed limited activity by an unattributed threat actor using a publicly available, static ASP.NET machine key to inject malicious code and deliver the Godzilla post-exploitation framework. In the course of investigating, remediating, and building protections against this activity, we observed an insecure practice whereby developers have incorporated various publicly disclosed ASP.NET machine keys from publicly accessible resources, such as code documentation and repositories, which threat actors have used to launch ViewState code injection attacks and perform malicious actions on target servers.
Critical Cisco ISE bug can let attackers run commands as root
Cisco has fixed two critical Identity Services Engine (ISE) vulnerabilities that can let attackers with read-only admin privileges bypass authorization and run commands as root.