Une base de données contenant plus de 184 millions de logins et mots de passe uniques a été découverte en libre accès sur Internet. Derrière cette fuite massive, des identifiants liés à des services grand public, des comptes bancaires, des adresses gouvernementales… et aucun moyen d’en retracer l’origine.

• Une base de données avec 184 millions de logins a été dénichée en ligne, exposant des infos sensibles publiques.
• Les identifiants couvrent des services variés, posant un risque élevé de piratage pour utilisateurs et organisations.
• Les utilisateurs doivent sécuriser leurs comptes : éviter réutilisation de mots de passe et activer la double authentification.

Début mai, le chercheur Jeremiah Fowler a découvert une base de données Elastic non protégée contenant plus de 184 millions de logins et mots de passe uniques. Poids total de cette énorme fuite : 47,42 Go. L’ensemble était hébergé sur les serveurs du fournisseur World Host Group, sans mot de passe ni chiffrement, et donc librement accessible à quiconque connaissait son adresse IP.

Une attaque informatique touche le site de l'Etat du Valais depuis jeudi à la mi-journée. Celui-ci a été déconnecté par précaution. A ce stade, aucun dommage n'a été constaté.
"Les hackers ont disposé temporairement de droits étendus sur les sites internet et intranet de l'Etat du Valais, ce qui pourrait permettre de procéder à des modifications sur le site", précise Claude-Alain Berclaz, chef du Service cantonal de l'informatique. "Ceci n'a pour l'instant pas été constaté."

Cette attaque "est la première de cette ampleur", précise-t-il. L'acte malveillant n'a pas été revendiqué.

Opération de remise en état
Selon les autorités, ces attaques n'ont pas permis d’intrusion dans d’autres systèmes de l'Etat. Les activités opérationnelles internes ne sont pas touchées.

Le canton dit "avoir pris toutes les mesures pour sécuriser au maximum son environnement informatique" et appliquer "systématiquement les bonnes pratiques de cybersécurité". Il cherche à remettre ses systèmes en fonction "le plus rapidement possible".

Trend™ Research uncovered a campaign on TikTok that uses videos to lure victims into downloading information stealers, a tactic that can be automated using AI tools.

• Trend Research uncovered a new social engineering campaign using TikTok to deliver the Vidar and StealC information stealers. This attack uses videos (possibly AI-generated) to instruct users to execute PowerShell commands, which are disguised as software activation steps.
• TikTok’s algorithmic reach increases the likelihood of widespread exposure, with one video reaching more than half a million views. Businesses can be affected by data exfiltration, credential theft, and potential compromise of sensitive systems as a result of this threat.
• Reinforcing security awareness, especially against AI-generated content, is crucial. Monitoring for unusual command execution involving PowerShell or other system utilities also helps identify malicious activity early.
• Trend Vision One™ detects and blocks the IOCs discussed in this blog. rend Vision One customers can also access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on this campaign
  Trend Research has uncovered a novel social engineering campaign using TikTok’s vast user base to distribute information-stealing malware, specifically Vidar and StealC. Unlike the prevalent Fake CAPTCHA campaign — which relies on fake CAPTCHA pages and clipboard hijacking to trick users into running malicious scripts — this new campaign pivots to exploiting the popularity and viral nature of TikTok.

Threat actors are now using TikTok videos that are potentially generated using AI-powered tools to socially engineer users into executing PowerShell commands under the guise of guiding them to activate legitimate software or unlock premium features. This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware.
This report details the observed tactics, techniques, and procedures (TTPs), indicators of compromise (IoCs), and the potential impact of this trend.

An unknown actor has been continuously creating malicious Chrome Browser extensions since approximately February, 2024. The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, Crypto, banking and more to direct users to install corresponding malicious extensions on Google’s Chrome Web Store (CWS). The extensions typically have a dual functionality, in which they generally appear to function as intended, but also connect to malicious servers to send user data, receive commands, and execute arbitrary code.

This joint operation targeted the sophisticated ecosystem that allowed Europol’s European Cybercrime Centre has worked with Microsoft to disrupt Lumma Stealer (“Lumma”), the world’s most significant infostealer threat.

This joint operation targeted the sophisticated ecosystem that allowed criminals to exploit stolen information on a massive scale. Europol coordinated with law enforcement in Europe to ensure action was taken, leveraging intelligence provided by Microsoft.

Between 16 March and 16 May 2025, Microsoft identified over 394 000 Windows computers globally infected by the Lumma malware. In a coordinated follow-up operation this week, Microsoft’s Digital Crimes Unit (DCU), Europol, and international partners have disrupted Lumma’s technical infrastructure, cutting off communications between the malicious tool and victims. In addition, over 1 300 domains seized by or transferred to Microsoft, including 300 domains actioned by law enforcement with the support of Europol, will be redirected to Microsoft sinkholes.

The Head of Europol’s European Cybercrime Centre, Edvardas Šileris, said: “This operation is a clear example of how public-private partnerships are transforming the fight against cybercrime. By combining Europol’s coordination capabilities with Microsoft’s technical insights, a vast criminal infrastructure has been disrupted. Cybercriminals thrive on fragmentation – but together, we are stronger.”

La Digital Crimes Unit (DCU) de Microsoft, en collaboration avec des partenaires internationaux, s’attaque à l’un des principaux outils utilisés pour dérober massivement des données sensibles, qu’elles soient personnelles ou professionnelles, à des fines cybercriminelles. Le mardi 13 mai, la DCU de Microsoft a engagé une action en justice contre Lumma Stealer (« Lumma »), un malware spécialisé dans le vol d’informations, largement utilisé par des centaines d’acteurs de la menace cyber. Lumma vole des mots de passe, des cartes de crédit, des comptes bancaires et des portefeuilles de cryptomonnaies. Cet outil a permis à des criminels de bloquer des établissements scolaires afin de récupérer une rançon, de vider des comptes bancaires et de perturber des services essentiels.

Grâce à une décision de justice rendue par le tribunal fédéral du district nord de la Géorgie, la Digital Crimes Unit (DCU) de Microsoft a procédé à la saisie et à la mise hors ligne d’environ 2 300 domaines malveillants, qui constituaient l’infrastructure centrale de Lumma. Parallèlement, le département de la Justice américain (DOJ) a démantelé la structure de commande principale du malware et perturbé les places de marché où l’outil était vendu à d’autres cybercriminels. Europol, via son Centre européen de lutte contre la cybercriminalité (EC3), ainsi que le Centre de lutte contre la cybercriminalité du Japon (JC3), ont contribué à la suspension de l’infrastructure locale de Lumma.

Critical vulnerabilities in Versa Concerto that are still unpatched could allow remote attackers to bypass authentication and execute arbitrary code on affected systems.
Three security issues, two of them critical, were publicly disclosed by researchers at the vulnerability management firm ProjectDiscovery after reporting them to the vendor and receiving no confirmation of the bugs being addressed.

Versa Concerto is the centralized management and orchestration platform for Versa Networks' SD-WAN and SASE (Secure Access Service Edge) solutions.
Three security issues, two of them critical, were publicly disclosed by researchers at the vulnerability management firm ProjectDiscovery after reporting them to the vendor and receiving no confirmation of the bugs being addressed.

Versa Concerto is the centralized management and orchestration platform for Versa Networks' SD-WAN and SASE (Secure Access Service Edge) solutions.

Threat actors are advancing AI strategies and outpacing traditional security. CXOs must critically examine AI weaponization across the attack chain.

The integration of AI into adversarial operations is fundamentally reshaping the speed, scale and sophistication of attacks. As AI defense capabilities evolve, so do the AI strategies and tools leveraged by threat actors, creating a rapidly shifting threat landscape that outpaces traditional detection and response methods. This accelerating evolution necessitates a critical examination for CXOs into how threat actors will strategically weaponize AI across each phase of the attack chain.

One of the most alarming shifts we have seen, following the introduction of AI technologies, is the dramatic drop in mean time to exfiltrate (MTTE) data, following initial access. In 2021, the average MTTE stood at nine days. According to our Unit 42 2025 Global Incident Response Report, by 2024 MTTE dropped to two days. In one in five cases, the time from compromise to exfiltration was less than 1 hour.

In our testing, Unit 42 was able to simulate a ransomware attack (from initial compromise to data exfiltration) in just 25 minutes using AI at every stage of the attack chain. That’s a 100x increase in speed, powered entirely by AI.
Recent threat activity observed by Unit 42 has highlighted how adversaries are leveraging AI in attacks:

• Deepfake-enabled social engineering has been observed in campaigns from groups like Muddled Libra (also known as Scattered Spider), who have used AI-generated audio and video to impersonate employees during help desk scams.
• North Korean IT workers are using real-time deepfake technology to infiltrate organizations through remote work positions, which poses significant security, legal and compliance risks.
• Attackers are leveraging generative AI to conduct ransomware negotiations, breaking down language barriers and more effectively negotiating higher ransom payments.
• AI-powered productivity assistants are being used to identify sensitive credentials in victim environments.

Discover how to intercept data stolen by cybercriminals via Telegram bots and learn to use it to clarify related threat landscape.

While analyzing malware samples uploaded to ANY.RUN’s Interactive Sandbox, one particular case marked as “phishing” and “Telegram” drew the attention of our security analysts.

Although this analysis session wasn’t attributed to any known malware family or threat actor group, the analysis revealed that Telegram bots were being used for data exfiltration. This led us to apply a message interception technique for Telegram bots, previously described on the ANY.RUN blog.

The investigation resulted in a clear and practical case study demonstrating how intercepting Telegram bot communications can aid in profiling the threat actor behind a relatively obscure phishing campaign.

Key outcomes of this analysis include:

Examination and technical analysis of a lesser known phishing campaign
Demonstration of Telegram API-based data interception techniques
Collection of threat intelligence (TI) indicators to help identify the actor
Recommendations for detecting this type of threat

Berne, 29.04.2025 — Pour la première fois, le commandement Cyber publie le code source d’un logiciel qu’il a lui-même développé, appelé « Loom ». Celui-ci permet de créer un recueil rapidement consultable à partir de vastes séries de données et de divers types de fichiers. Le Groupement Défense fait ainsi une avancée significative vers plus de transparence et de collaboration.

Pour la première fois, le commandement Cyber permet au public d’accéder, à travers GitLab, à une plate-forme performante de recherche et d’analyse. Il s’agit du logiciel « Loom ». Un de ses avantages importants est sa souplesse : son code source étant public, des organisations peuvent adapter ce logiciel à leurs propres besoins. De nouvelles fonctions peuvent y être intégrées, d’où la possibilité de l’utiliser pour des applications spécifiques.

« Loom » permet de réaliser efficacement et aisément des recherches parmi un très grand nombre de données. Il gère une multitude de types de fichiers et offre rapidement aux utilisateurs une vue d’ensemble d’un jeu de données. Il les aide à s’y plonger pour obtenir des résultats plus précis au lieu de se limiter à parcourir superficiellement une grande quantité de données.

KrebsOnSecurity last week was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second (a terabit is one trillion bits of data). The brief attack appears to have been…
For reference, the 6.3 Tbps attack last week was ten times the size of the assault launched against this site in 2016 by the Mirai IoT botnet, which held KrebsOnSecurity offline for nearly four days. The 2016 assault was so large that Akamai – which was providing pro-bono DDoS protection for KrebsOnSecurity at the time — asked me to leave their service because the attack was causing problems for their paying customers.

Since the Mirai attack, KrebsOnSecurity.com has been behind the protection of Project Shield, a free DDoS defense service that Google provides to websites offering news, human rights, and election-related content. Google Security Engineer Damian Menscher told KrebsOnSecurity the May 12 attack was the largest Google has ever handled. In terms of sheer size, it is second only to a very similar attack that Cloudflare mitigated and wrote about in April.

After comparing notes with Cloudflare, Menscher said the botnet that launched both attacks bears the fingerprints of Aisuru, a digital siege machine that first surfaced less than a year ago. Menscher said the attack on KrebsOnSecurity lasted less than a minute, hurling large UDP data packets at random ports at a rate of approximately 585 million data packets per second.

“It was the type of attack normally designed to overwhelm network links,” Menscher said, referring to the throughput connections between and among various Internet service providers (ISPs). “For most companies, this size of attack would kill them.”

The cyberattackers claimed 2.1m pieces of customer data had been stolen from the Legal Aid Agency

Millions of pieces of personal data, including criminal records, have been stolen from legal aid applicants in a massive cyberattack.

The data, including national insurance numbers, employment status and financial data, was breached earlier this year, according to the Ministry of Justice (MoJ).

The cyberattackers claimed they had stolen 2.1 million pieces of data from people who had applied for legal aid since 2010 but the MoJ only said a “significant amount of personal data” had been breached.

An MoJ source put the breach down to the “neglect and mismanagement” of the previous government, saying vulnerabilities in the Legal Aid Agency (LAA) systems have been known for many years.

“This data breach was made possible by the long years of neglect and mismanagement of the justice system under the last government,” the source said.

Plusieurs comptes SwissPass ont été piratés depuis le début de l’année en Suisse romande. En Valais, la police recense 16 cas pour un préjudice total de 15’400 francs. Ce type de fraude s'étend au-delà du canton.

La police cantonale valaisanne a lancé une alerte après avoir enregistré une série de piratages de comptes SwissPass. Dans un communiqué publié le 20 mai, elle indique avoir reçu plusieurs signalements de connexions frauduleuses à ces comptes. Selon l’autorité, 16 cas ont été recensés depuis le début de l’année 2025 dans le canton, pour un préjudice total de 15’400 francs.

Les fraudeurs accèdent aux comptes grâce à des identifiants compromis, sans qu’un vol physique de la carte ne soit nécessaire. Une fois dans le compte, ils utilisent les moyens de paiement enregistrés comme Twint, la carte de crédit ou le paiement sur facture, pour acheter des billets de train, souvent à destination de la France, de l’Italie ou sur des liaisons transfrontalières. Cette méthode leur permet de détourner des montants importants sans jamais accéder au compte bancaire de la victime.

In April 2025, the Global Threat Hunting system of NSFOCUS Fuying Lab detected a significant increase in the activity of a new Botnet Trojan developed based on Go language. Given that many of its built-in DDoS attack methods are HTTP-based, Fuying Lab named it HTTPBot. The HTTPBot Botnet family first came into our monitoring scope in August 2024. Over the past few months, it has expanded aggressively, continuously leveraging infected devices to launch external attacks. Monitoring data indicates that its attack targets are primarily concentrated in the domestic gaming industry. Additionally, some technology companies and educational institutions have also been affected. The attack of this Botnet family is highly targeted, with attackers employing a periodical and multi-stage attack strategy to conduct continuous saturation attacks on selected targets.

In terms of technical implementation, the HTTPBot Botnet Trojan uses an “attack ID” to precisely initiate and terminate the attack process. It also incorporates a variety of innovative DDoS attack methods. By employing highly simulated HTTP Flood attacks and dynamic feature obfuscation techniques, it circumvents traditional rule-based detection mechanisms, including but not limited to the following detection bypass mechanisms:

• Cookie replenishment mechanism
• Randomize the UA and header of http requests
• Real browser calling
• Randomize URL path
• Dynamic rate control
• Status code retry mechanism
  In recent years, most emerging Botnet families have primarily focused on developing communication methods and network control. This includes creating specialized communication tools, separating vulnerabilities from Trojans to protect key information, and enhancing communication anonymity through techniques like DGA (Domain Generation Algorithm), DOH (DNS over HTTPS), and OpenNIC. These Botnets typically emphasize traffic-based attacks aimed at bandwidth consumption. However, HTTPBot has taken a different approach by developing a range of HTTP-based attack methods to conduct transactional (business) DDoS attacks. Attackers can use these methods to precisely target high-value business interfaces and launch targeted saturation attacks on critical interfaces, such as game login and payment systems. This attack with “scalpel-like” precision poses a systemic threat to industries that rely on real-time interaction. HTTPBot marks a paradigm shift in DDoS attacks, moving from “indiscriminate traffic suppression” to “high-precision business strangulation.” This evolution forces defense systems to upgrade from simple “rule-based interception” to a more dynamic approach combining “behavioral analysis and resource elasticity.”

Key Takeaways

• The threat actor first gained entry by exploiting a known vulnerability (CVE-2023-22527) on an internet-facing Confluence server, allowing for remote code execution.
• Using this access, the threat actor executed a consistent sequence of commands (installing AnyDesk, adding admin users, and enabling RDP) multiple times, suggesting the use of automation scripts or a playbook.
• Tools like Mimikatz, ProcessHacker, and Impacket Secretsdump were used to harvest credentials.
• The intrusion culminated in the deployment of ELPACO-team ransomware, a Mimic variant, approximately 62 hours after the initial Confluence exploitation.
• While ransomware was deployed and some event logs were deleted, no significant exfiltration of data was observed during the intrusion.
  This case was featured in our December 2024 DFIR Labs CTF and is available as a lab today here. It was originally published as a Threat Brief to customers in October 2024.

The company behind the Signal clone used by at least one Trump administration official was breached earlier this month. The hacker says they got in thanks to a basic misconfiguration.

• Rogue communication devices found in Chinese solar inverters
• Undocumented cellular radios also found in Chinese batteries
• U.S. says continually assesses risk with emerging technology
• U.S. working to integrate 'trusted equipment' into the grid

LONDON, May 14 (Reuters) - U.S. energy officials are reassessing the risk posed by Chinese-made devices that play a critical role in renewable energy infrastructure after unexplained communication equipment was found inside some of them, two people familiar with the matter said.
Power inverters, which are predominantly produced in China, are used throughout the world to connect solar panels and wind turbines to electricity grids. They are also found in batteries, heat pumps and electric vehicle chargers. While inverters are built to allow remote access for updates and maintenance, the utility companies that use them typically install firewalls to prevent direct communication back to China.
However, rogue communication devices not listed in product documents have been found in some Chinese solar power inverters by U.S experts who strip down equipment hooked up to grids to check for security issues, the two people said.
Over the past nine months, undocumented communication devices, including cellular radios, have also been found in some batteries from multiple Chinese suppliers, one of them said.
Reuters was unable to determine how many solar power inverters and batteries they have looked at. The rogue components provide additional, undocumented communication channels that could allow firewalls to be circumvented remotely, with potentially catastrophic consequences, the two people said.
Both declined to be named because they did not have permission to speak to the media.
"We know that China believes there is value in placing at least some elements of our core infrastructure at risk of destruction or disruption," said Mike Rogers, a former director of the U.S. National Security Agency. "I think that the Chinese are, in part, hoping that the widespread use of inverters limits the options that the West has to deal with the security issue."
A spokesperson for the Chinese embassy in Washington said: "We oppose the generalisation of the concept of national security, distorting and smearing China's infrastructure achievements."

Threat actor used malicious Google Invites and hidden Unicode “Private Use Access” characters (PUAs) to brilliantly obfuscate and hide a malicious NPM package.
On March 19th, 2025, we discovered a package called os-info-checker-es6 and were taken aback. We could tell it was not doing what it said on the tin. But what's the deal? We decided to investigate the matter and initially hit some dead ends. But patience pays off, and we eventually got most of the answers we sought. We also learned about Unicode PUAs (No, not pick-up artists). It was a roller coaster ride of emotions!

Twilio has denied in a statement for BleepingComputer that it was breached after a threat actor claimed to be holding over 89 million Steam user records with one-time access codes.

The threat actor, using the alias Machine1337 (also known as EnergyWeaponsUser), advertised a trove of data allegedly pulled from Steam, offering to sell it for $5,000.

When examining the leaked files, which contained 3,000 records, BleepingComputer found historic SMS text messages with one-time passcodes for Steam, including the recipient's phone number.

Owned by Valve Corporation, Steam is the world's largest digital distribution platform for PC games, with over 120 million monthly active users.

Valve did not respond to our requests for a comment on the threat actor's claims.

Independent games journalist MellolwOnline1, who is also the creator of the SteamSentinels community group that monitors abuse and fraud in the Steam ecosystem, suggests that the incident is a supply-chain compromise involving Twilio.

MellowOnline1 pointed to technical evidence in the leaked data that indicates real-time SMS log entries from Twilio's backend systems, hypothesizing a compromised admin account or abuse of API keys.

During the second day of Pwn2Own Berlin 2025, competitors earned $435,000 after exploiting zero-day bugs in multiple products, including Microsoft SharePoint, VMware ESXi, Oracle VirtualBox, Red Hat Enterprise Linux, and Mozilla Firefox.
The highlight was a successful attempt from Nguyen Hoang Thach of STARLabs SG against the VMware ESXi, which earned him $150,000 for an integer overflow exploit.

Dinh Ho Anh Khoa of Viettel Cyber Security was awarded $100,000 for hacking Microsoft SharePoint by leveraging an exploit chain combining an auth bypass and an insecure deserialization flaw.

Palo Alto Networks' Edouard Bochin and Tao Yan also demoed an out-of-bounds write zero-day in Mozilla Firefox, while Gerrard Tai of STAR Labs SG escalated privileges to root on Red Hat Enterprise Linux using a use-after-free bug, and Viettel Cyber Security used another out-of-bounds write for an Oracle VirtualBox guest-to-host escape.

In the AI category, Wiz Research security researchers used a use-after-free zero-day to exploit Redis and Qrious Secure chained four security flaws to hack Nvidia's Triton Inference Server.

On the first day, competitors were awarded $260,000 after successfully exploiting zero-day vulnerabilities in Windows 11, Red Hat Linux, and Oracle VirtualBox, reaching a total of $695,000 earned over the first two days of the contest after demonstrating 20 unique 0-days.

​​​The Pwn2Own Berlin 2025 hacking competition focuses on enterprise technologies, introduces an AI category for the first time, and takes place during the OffensiveCon conference between May 15 and May 17.