Cell C, South Africa’s fourth largest mobile network operator, said on Wednesday morning that RansomHouse had unlawfully disclosed data after a security breach for which RansomHouse is claiming responsibility.
The operator, with 7.7 million subscribers as of February, was attacked in early November 2024 and RansomHouse acquired 2TB of data, which has been corroborated by files posted on the dark web, according to security company PFortner.
Data accessed included:
Full names and contact details (email, phone numbers)
ID numbers
Banking details (if stored for billing purposes)
Driver’s License Numbers
Medical Records (if supplied for closure of accounts on death of a family member)
Passport details
It is not clear how many people were affected.
On April 26, an unauthorized user exploited a vulnerability with a GitHub workflow to gain unauthorized access to tokens, all of which have now been invalidated. At this time, our investigation has found no evidence of code modifications, unauthorized access to production systems, exposure of customer data, or access to personal information.
Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. The threat actor’s email is the only potential clue as to their motivation, but once the tunnel is created, the threat actor can exfiltrate data or execute commands that we may not know about through these packages. These seven packages:
Coffin-Codes-Pro
Coffin-Codes-NET2
Coffin-Codes-NET
Coffin-Codes-2022
Coffin2022
Coffin-Grave
cfc-bsb
use Gmail, making these attempts less likely to be flagged by firewalls and endpoint detection systems since SMTP is commonly treated as legitimate traffic.
These packages have since been removed from the Python Package Index (PyPI).
Researchers say the behavior amounts to a persistent backdoor.
rom the department of head scratches comes this counterintuitive news: Microsoft says it has no plans to change a remote login protocol in Windows that allows people to log in to machines using passwords that have been revoked.
Password changes are among the first steps people should take in the event that a password has been leaked or an account has been compromised. People expect that once they've taken this step, none of the devices that relied on the password can be accessed.
The Remote Desktop Protocol—the proprietary mechanism built into Windows for allowing a remote user to log in to and control a machine as if they were directly in front of it—however, will in many cases continue trusting a password even after a user has changed it. Microsoft says the behavior is a design decision to ensure users never get locked out.
Independent security researcher Daniel Wade reported the behavior earlier this month to the Microsoft Security Response Center. In the report, he provided step-by-step instructions for reproducing the behavior. He went on to warn that the design defies nearly universal expectations that once a password has been changed, it can no longer give access to any devices or accounts associated with it.
Le Conseil fédéral a récemment ouvert une seconde consultation relative à la révision partielle des ordonnances liées à la Loi fédérale du 18 mars 2016 sur la surveillance de la correspondance par poste et télécommunication (LSCPT). Sous couvert de clarifier les définitions des fournisseurs et de leurs obligations, le projet cherche à largement étendre les obligations de rétention de données aux fournisseurs de service de communication dérivés en Suisse.
ESET researchers publish an analysis of Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks.<<
Malware Analysis Report - LockBit Ransomware v4.0
In this blog post, I’m going over my analysis for the latest variant of LockBit ransomware - version 4.0. Throughout this blog, I’ll walk through all the malicious functionalities discovered, complete with explanations and IDA screenshots to show my reverse engineering process step by step. This new version of LockBit 4.0 implements a hybrid-cryptography approach, combining Curve25519 with XChaCha20 for its file encryption scheme.
This version shares similarities with the older LockBit Green variant that is derived from Conti ransomware. While the multi-threading architecture seems more streamlined than previous versions, it still delivers an encryption speed that outpaces most other ransomware families.
As always, LockBit is still my most favorite malware to look at, and I certainly enjoyed doing a deep dive to understand how this version works.
Some Marks & Spencer (M&S) stores have been left with empty food shelves as the retailer continues to struggle with a cyber attack affecting its operations.
Online orders have been paused on the company's website and app since Friday, following problems with contactless pay and Click & collect over the Easter weekend.
The BBC understands food availability should be back to normal by the end of the week.
Meanwhile, security experts say a cyber crime group calling itself DragonForce is behind the mayhem.
This Google Threat Intelligence Group report presents an analysis of detected 2024 zero-day exploits.
Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). We divided the reviewed vulnerabilities into two main categories: end-user platforms and products (e.g., mobile devices, operating systems, and browsers) and enterprise-focused technologies, such as security software and appliances.
Vendors continue to drive improvements that make some zero-day exploitation harder, demonstrated by both dwindling numbers across multiple categories and reduced observed attacks against previously popular targets. At the same time, commercial surveillance vendors (CSVs) appear to be increasing their operational security practices, potentially leading to decreased attribution and detection.
We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies. While the historic focus on the exploitation of popular end-user technologies and their users continues, the shift toward increased targeting of enterprise-focused products will require a wider and more diverse set of vendors to increase proactive security measures in order to reduce future zero-day exploitation attempts.
Cisco Talos discovered a sophisticated attack on critical infrastructure by ToyMaker and Cactus, using the LAGTOY backdoor to orchestrate a relentless double extortion scheme.
Understand the mechanics, risks, and the future of IMSI catching (a.k.a. stealing your cellular ID) in 2025. Read our primer on this niche form of hacking.
The GSM (better known as 2G) protocol has a security vulnerability that exposes a user’s personal identifier (IMSI) in the clear, allowing for attribution and geolocation. This vulnerability is also in the UMTS (a.k.a. 3G) spec, and in the LTE (4G) spec. While the vulnerability was finally addressed in NR (5G), it’s imperfect and remains an exploitable 5G network vulnerability… and my favorite cybersecurity topic.
How to block an IMSI catcher
There’s no way to block an IMSI catcher. The only simple thing you can do, that can have an effect, is to set your network priority to 5G-SA – but most phones don’t support this feature.
If you’re really paranoid, stay in airplane mode until you’re in a very dense coverage area. While this is far from a guarantee, IMSI catchers are more likely to be sitting in areas with compromised signal quality.
Finally, you can keep your phone in a Faraday bag, which can provide up to 100 dB of signal attenuation. GSM
How luxury cars, $500,000 bar tabs and a mysterious kidnapping attempt helped investigators unravel the heist of a lifetime.
In the balmy late afternoon of Aug. 25, 2024, Sushil and Radhika Chetal were house-hunting in Danbury, Conn., in an upscale neighborhood of manicured yards and heated pools. Sushil, a vice president at Morgan Stanley in New York, was in the driver’s seat of a new matte gray Lamborghini Urus, an S.U.V. with a price tag starting around $240,000. As they turned a corner, the Lamborghini was suddenly rammed from behind by a white Honda Civic. At the same time, a white Ram ProMaster work van cut in front, trapping the Chetals. According to a criminal complaint filed after the incident, a group of six men dressed in black and wearing masks emerged from their vehicles and forced the Chetals from their car, dragging them toward the van’s open side door.
After the August 2024 crypto heist, ZachXBT was able to track Lam through what’s called OSINT — open-source intelligence. In other words, social media. In Com chat groups, word was spreading that Lam was on a wild spending spree. Nobody seemed to know the source of his money, but they spoke of his lavish exploits at Los Angeles nightclubs. ZachXBT researched the most popular nightclubs in the city and then searched Instagram stories from partyers and the clubs themselves. In one post, Malone was filmed wearing a white Moncler jacket and what appeared to be diamond rings and diamond-encrusted sunglasses. He stood up on the table and began showering the crowd with hundred-dollar bills. As money rained down, servers paraded in $1,500 bottles of Champagne topped with sparklers and held up signs that read “@Malone.” He spent $569,528 in one evening alone. At one nightclub, Lam and his crew trolled ZachXBT, getting clubgoers to hold up signs reading “TOLD U WE’D WIN,” while another read, “[Expletive] ZACHXBT.”
Microsoft synchronization capabilities for managing identities in hybrid environments are not without their risks. In this blog, Tenable Research explores how potential weaknesses in these synchronization options can be exploited.
Synchronizing identity accounts between Microsoft Active Directory (AD) and Entra ID is important for user experience, as it seamlessly synchronizes user identities, credentials and groups between on-premises and cloud-based systems. At the same time, Tenable Research shows the following synchronization options can introduce cybersecurity risk that extend beyond hybrid tenants:
the already known Directory Synchronization Accounts Entra role
the new On Premises Directory Sync Account Entra role
the new Microsoft Entra AD Synchronization Service application
In 2024, Microsoft introduced two new security hardening measures for hybrid Entra ID synchronization. However, despite these improvements, both the Directory Synchronization Accounts and the new On Premises Directory Sync Account roles retain access to critical synchronization APIs. Moreover, the new 'Microsoft Entra AD Synchronization Service' application exposes the privileged ADSynchronization.ReadWrite.All permission, introducing another potential attack path that security teams must watch closely.
In this technical blog, we break down the changes Microsoft made to each of its synchronization options, explore where new risks were introduced and provide guidance on how Tenable Identity Exposure can help you monitor and secure your hybrid synchronization environment.
April 23, 2025
The Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) has released its latest annual report. The 2024 Internet Crime Report combines information from 859,532 complaints of suspected internet crime and details reported losses exceeding $16 billion—a 33% increase in losses from 2023.
The top three cyber crimes, by number of complaints reported by victims in 2024, were phishing/spoofing, extortion, and personal data breaches. Victims of investment fraud, specifically those involving cryptocurrency, reported the most losses—totaling over $6.5 billion.
According to the 2024 report, the most complaints were received from California, Texas, and Florida. As a group, people over the age of 60 suffered the most losses at nearly $5 billion and submitted the greatest number of complaints.
“Reporting is one of the first and most important steps in fighting crime so law enforcement can use this information to combat a variety of frauds and scams,” said FBI Director, Kash Patel. “The IC3, which is celebrating its 25th anniversary this year, is only as successful as the reports it receives; that’s why it’s imperative that the public immediately report suspected cyber-enabled criminal activity to the FBI.”
To promote public awareness, the IC3 produces an annual report to aggregate and highlight the data provided by the general public. The quality of the data is a direct reflection of the information the public provides through the IC3 website. The IC3 standardizes the data by categorizing each complaint and analyzes the data to identify and forecast trends in internet crime. The annual report helps the FBI develop effective relationships with industry partners and share information for investigative and intelligence purposes for law enforcement and public awareness.
The IC3, which was established in May 2000, houses nine million complaints from the public in its database and continues to encourage anyone who thinks they’ve been the victim of a cyber-enabled crime, regardless of dollar loss, to file a complaint through the IC3 website. The more comprehensive complaints the FBI receives, the more effective it will be in helping law enforcement gain a more accurate picture of the extent and nature of internet-facilitated crimes.
The FBI recommends that everyone frequently review consumer and industry alerts published by the IC3. If you or your business are a victim of an internet crime, immediately notify all financial institutions involved in the relevant transactions, submit a complaint to www.ic3.gov, contact your nearest FBI field office, and contact local law enforcement.
Learn more about the history of IC3 by listening to this previously released FBI podcast episode: Inside the FBI: IC3 Turns 20.
Hannah Neumann was targeted in a cyber-espionage operation by an infamous Iranian hacking group earlier this year, she said.
A prominent European Parliament member was the victim of what is believed to be a cyber-espionage operation tied to her role as chair of the chamber's Iran delegation, she told POLITICO.
The office of Hannah Neumann, a member of the German Greens and head of the delegation spearheading work on European Union-Iran relations, was targeted by a hacking campaign that started in January, she said. Her staff was contacted with messages, phone calls and emails by hackers impersonating a legitimate contact. They eventually managed to target a laptop with malicious software.
"It was a very sophisticated attempt using various ways to manage that someone accidentally opens a link, including putting personal pressure on them," Neumann said.
Google intelligence report finds UK is a particular target of IT worker ploy that sends wages to Kim Jong Un’s state
British companies are being urged to carry out job interviews for IT workers on video or in person to head off the threat of giving jobs to fake North Korean employees.
The warning was made after analysts said that the UK had become a prime target for hoax IT workers deployed by the Democratic People’s Republic of Korea. They are typically hired to work remotely, enabling them to escape detection and send their wages to Kim Jong-un’s state.
Google said in a report this month that a case uncovered last year involved a single North Korean worker deploying at least 12 personae across Europe and the US. The IT worker was seeking jobs within the defence industry and government sectors. Under a new tactic, the bogus IT professionals have been threatening to release sensitive company data after being fired.
Despite their hacktivist front, CyberAv3ngers is a rare state-sponsored hacker group bent on putting industrial infrastructure at risk—and has already caused global disruption.
The intermittent cyberwar between Israel and Iran, stretching back to Israel's role in the creation and deployment of the Stuxnet malware that sabotaged Iran's nuclear weapons program, has been perhaps the longest-running conflict in the era of state-sponsored hacking. But since Hamas' October 7 attack and Israel's retaliatory invasion of Gaza, a new player in that conflict threatens not just digital infrastructure in Israel but also critical systems in the US and around the world.
The group known as CyberAv3ngers has, in the last year and a half, proven to be the Iranian government's most active hackers focused on industrial control systems. Its targets include water, wastewater, oil and gas, and many other types of critical infrastructure. Despite being operated by members of Iran's Revolutionary Guard Corps, according to US officials who have offered a $10 million bounty for information leading to their arrest, the group initially took on the mantle of a “hacktivist” campaign.
In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild.
In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild. The disclosure of known exploited vulnerabilities was from 50 different sources. We continue to see vulnerabilities being exploited at a fast pace with 28.3% of vulnerabilities being exploited within 1-day of their CVE disclosure. This trend continues from a similar pace we saw in 2024. This demonstrates the need for defenders to move fast on emerging threats while continuing to burn down their vulnerability debt.
Here are the key take-aways from our analysis and coverage of known exploited vulnerabilities:
In this two-part series, SpiderLabs explores the malicious traffic associated with Proton66, revealing the extent and nature of these attacks.
Mass scanning and exploit campaigns targeting multiple sectors
Starting from January 8, 2025, SpiderLabs observed an increase in mass scanning, credential brute forcing, and exploitation attempts originating from Proton66 ASN targeting organizations worldwide. Although malicious activity was seen in the past, the spike and sudden decline observed later in February 2025 were notable, and offending IP addresses were investigated.
AS198953, belonging to Proton66 OOO, consists of five net blocks, which are currently listed on blocklists such as Spamhaus due to malicious activity. Net blocks 45.135.232.0/24 and 45.140.17.0/24 were particularly active in terms of mass scanning and brute force attempts. Several of the offending IP addresses were not previously seen to be involved in malicious activity or were inactive for over two years. For instance, the last activities reported in AbuseIPDB for the IP addresses 45.134.26.8 and 45.135.232.24 were noted in November and July 2021, respectively.
