Today was an eventful day thanks to many interesting blog posts, e.g. from my friends at watchTowr. So I thought, why not publish a small quick-and-dirty blog post myself about a story from last week? This blog post may not be of the usual quality, but it was a good time to write it.
Law enforcement authorities from six countries took down the Archetyp Market, an infamous darknet drug marketplace that has been operating since May 2020.
Archetyp Market sellers provided the market's customers with access to high volumes of drugs, including cocaine, amphetamines, heroin, cannabis, MDMA, and synthetic opioids like fentanyl through more than 3,200 registered vendors and over 17,000 listings.
Over its five years of activity, the marketplace amassed over 612,000 users with a total transaction volume of over €250 million (approximately $289 million) in Monero cryptocurrency transactions.
As part of this joint action codenamed 'Operation Deep Sentinel' (led by German police and supported by Europol and Eurojust), investigators in the Netherlands took down the marketplace's infrastructure, while a 30-year-old German national suspected of being Archetyp Market's administrator was apprehended in Barcelona, Spain.
One Archetyp Market moderator and six of the marketplace's highest vendors were also arrested in Germany and Sweden.
In total, law enforcement officers seized 47 smartphones, 45 computers, narcotics, and assets worth €7.8 million from all suspects during Operation Deep Sentinel.
Apple OSes will soon transfer passkeys seamlessly and securely across platforms.
Apple this week provided a glimpse into a feature that solves one of the biggest drawbacks of passkeys, the industry-wide standard for website and app authentication that isn't susceptible to credential phishing and other attacks targeting passwords.
The import/export feature, which Apple demonstrated at this week’s Worldwide Developers Conference, will be available in the next major releases of iOS, macOS, iPadOS, and visionOS. It aims to solve one of the biggest shortcomings of passkeys as they have existed to date. Passkeys created on one operating system or credential manager are largely bound to those environments. A passkey created on a Mac, for instance, can sync easily enough with other Apple devices connected to the same iCloud account. Transferring them to a Windows device or even a dedicated credential manager installed on the same Apple device has been impossible.
Growing pains
That limitation has led to criticisms that passkeys are a power play by large companies to lock users into specific product ecosystems. Users have also rightly worried that the lack of transferability increases the risk of getting locked out of important accounts if a device storing passkeys is lost, stolen, or destroyed.
The FIDO Alliance, the consortium of more than 100 platform providers, app makers, and websites developing the authentication standard, has been keenly aware of the drawback and has been working on programming interfaces that will make the passkey syncing more flexible. A recent teardown of the Google password manager by Android Authority shows that developers are actively implementing import/export tools, although the company has yet to provide any timeline for their general availability. (Earlier this year, the Google password manager added functionality to transfer passwords to iOS apps, but the process is clunky.) A recent update from FIDO shows that a large roster of companies are participating in the development, including Dashlane, 1Password, Bitwarden, Devolutions, NordPass, and Okta.
Dans un contexte général où de nombreuses institutions font l’objet d’attaques informatiques, Sorbonne Université a été victime d’une cyberattaque. Son système d’information connaît de fortes perturbations en raison de la détection d’un incident de sécurité qui a endommagé différents outils numériques sans pour autant empêcher la continuité de service. Pour faire face à cette situation, des mesures correctives ont été mises en place pour renforcer les dispositifs de sécurité.
Les derniers résultats des investigations effectuées par les équipes de Sorbonne Université, en lien avec des experts en cybersécurité, ont mis en évidence la compromission de plusieurs catégories de données sensibles. Parmi ces données figurent des adresses e-mail professionnelles, des coordonnées bancaires, des numéros de sécurité sociale et les éléments relatifs à la rémunération des personnels.
Conformément au Règlement général sur la protection des données (RGPD), Sorbonne Université a immédiatement procédé à une déclaration auprès de la Commission nationale de l’informatique et des libertés (CNIL), de l’Agence nationale de la sécurité des systèmes d'information (ANSSI), et a déposé plainte au nom de l’établissement.
Les équipes de Sorbonne Université se mobilisent sans relâche pour gérer cette cyberattaque et rétablir au plus vite l’ensemble des services dans les meilleures conditions possibles. Ainsi, tous les services numériques essentiels au travail des personnels de l’université fonctionnent aux heures ouvrables de travail.
Un numéro vert dédié sera mis à disposition du personnel en début de semaine prochaine ainsi qu’une foire aux questions afin de répondre à leurs interrogations.
Hackers have tried to break into the email accounts of a select number of Washington Post journalists, according to an internal Washington Post memo obtained by CNN.
The Post discovered the “possible targeted” hack of its email system last Thursday, prompting the newspaper to reset login credentials for all its employees on Friday, Washington Post Executive Editor Matt Murray said in a memo Sunday to employees.
“Although our investigation is ongoing, we believe the incident affected a limited number of Post journalists accounts, and we have contacted those whose accounts have been impacted,” Murray said.
“We do not believe this unauthorized intrusion impacted any additional Post systems or has had any impact for our customers,” he added.
It was not immediately clear who was responsible for the hack. Journalists are regular targets for both state-backed spies, who are interested in tracking their reporting before it becomes public, and cybercriminals, who are interested in extorting news organizations.
A spokesperson for The Post declined to comment when asked who might be responsible for the hack.
More than 46,000 internet-facing Grafana instances remain unpatched and exposed to a client-side open redirect vulnerability that allows executing a malicious plugin and account takeover.
The flaw is tracked as CVE-2025-4123 and impacts multiple versions of the open-source platform used for monitoring and visualizing infrastructure and application metrics.
The vulnerability was discovered by bug bounty hunter Alvaro Balada and was addressed in security updates that Grafana Labs released on May 21.
The European Commission is making available €145.5 million to empower small and medium-sized enterprises and public administrations in deploying cybersecurity solutions and adopting the results of cybersecurity research.
For this purpose, the European Cybersecurity Competence has launched two calls for proposals.
The first call is part of the Digital Europe Programme, with a budget of €55 million. €30 million of this amount will enhance the cybersecurity of hospitals and healthcare providers, helping them detect, monitor, and respond to cyber threats, particularly ransomware. This will boost the resilience of the European healthcare system, especially in the current geopolitical context, aligning with the EU action plan on cybersecurity in hospitals and healthcare.
The second call, under Horizon Europe Programme, has a budget of around €90.5 million. It will support the use and development of generative AI for cybersecurity applications, new advanced tools and processes for operational cybersecurity, and privacy-enhancing technologies as well as post-quantum cryptography.
The deadline for applications to the first call is 7 October, and for the second, it is 12 November. Both calls for proposals are managed by the European Cybersecurity Competence. The eligibility criteria and all relevant call documents are available on the Funding and Tenders portal.
Related topics
Cybersecurity Artificial intelligence Digital Europe Programme Funding for Digital Horizon Europe
Industrial solutions providers Siemens, Schneider Electric and Aveva have released June 2025 Patch Tuesday ICS security advisories.
While most of the vulnerabilities described in the advisories have been patched, only mitigations and workarounds are currently available for some of the flaws.
Siemens published six new advisories this Patch Tuesday. The most important describes CVE-2025-40585, a critical default credentials issue impacting Siemens Energy Services solutions that use the Elspec G5 Digital Fault Recorder (G5DFR).
According to Siemens, this component has default credentials with admin privileges and “a client configuration with remote access could allow an attacker to gain remote control of the G5DFR component and tamper outputs from the device”. Users can mitigate this issue by changing the default credentials from the G5DFR interface.
Critical issues are also described in an advisory for Simatic S7-1500 CPUs. Siemens is working on updates for the product to address dozens of vulnerabilities affecting the GNU/Linux subsystem.
Two advisories cover medium-severity issues in industrial communication devices that use the Sinec OS. The flaws allow an attacker to “perform actions that exceed the permissions of the ‘guest’ role”.
The industrial giant has also informed customers about a Tecnomatix Plant Simulation vulnerability that can lead to arbitrary code execution by tricking a user to open malicious files. The issue was reported by researcher Michael Heinzl, who is often credited by vendors for reporting vulnerabilities whose exploitation involves opening specially crafted files.
Siemens also informed customers about an XSS vulnerability in the Palo Alto Networks virtual firewall present in some Ruggedcom devices. Patches are being prepared by Siemens.
Schneider Electric has published three new advisories this Patch Tuesday. One of them describes XSS and DoS vulnerabilities affecting some Modicon controllers.
Four vulnerabilities have been patched in the EVLink WallBox electric vehicle charging station, including ones that can be exploited for reading or writing arbitrary files, launching XSS attacks, and taking remote control over the charging station.
Schneider has also informed customers about vulnerabilities in the third-party real-time operating system powering Insight Home and Insight Facility products. The products have reached end of life and cannot be updated, but users can implement mitigations to reduce the risk of exploitation.
Aveva has published three new advisories. One of them describes two high-severity DoS vulnerabilities in the PI Data Archive product. The other two advisories cover medium-severity XSS flaws in PI Connector for CygNet and PI Web API.
CISA also published three new advisories on Tuesday. One of them describes high-severity SinoTrack GPS receiver vulnerabilities that can allow an attacker to track vehicles and disconnect power to the fuel pump.
The other advisories describe the impact of a 2022 OpenSSL vulnerability on Hitachi Energy Relion products, and a remote code execution flaw discovered by Heinzl in MicroDicom DICOM Viewer.
ABB published advisories a few days before Patch Tuesday. The company informed customers about a critical EIBPORT vulnerability that leads to information disclosure, as well as flaws in third-party components used by its Welcome IP-Gateway product.
Also on Tuesday, Kaspersky published its ICS threat landscape report for Q1 2025, which shows that the security firm’s products blocked threats on nearly 22% of protected ICS devices.
The report looks at threat sources, regional trends, and the prevalence of various types of malware.
On May 7, 2025, the LockBit admin panel was hacked by an anonymous actor who replaced their TOR website with the text ‘Don’t do crime CRIME IS BAD xoxo from Prague’ and shared a SQL dump of their admin panel database in an archived file ‘paneldb_dump.zip’:
There is not much information available regarding the individual identified as 'xoxo from Prague' whose objective seems to be the apprehension of malicious ransomware threat actors. It is uncommon for a major ransomware organization's website to be defaced; more so for its administrative panel to be compromised. This leaked SQL database dump is significant as it offers insight into the operational methods of LockBit affiliates and the negotiation tactics they employ to secure ransom payments from their victims.
Trellix Advanced Research Center’s investigations into the leaked SQL database confirmed with high confidence that the database originates from LockBit's affiliates admin panel. This panel allows the generation of ransomware builds for victims, utilizing LockBit Black 4.0 and LockBit Green 4.0, compatible with Linux, Windows and ESXi systems, and provides access to victim negotiation chats.
The leaked SQL database dump encompasses data from December 18, 2024 to April 29, 2025, including details pertaining to LockBit adverts (aka ransomware affiliates), victim organizations, chat logs, cryptocurrency wallets and ransomware build configurations.
After ignoring the advice from my friend, I bought a new ASUS motherboard for my PC. I was a little concerned about having a BIOS that would by default silently install software into my OS in the background. But it could be turned off so I figured I would just do that.
DriverHub is an interesting piece of driver software because it doesn’t have any GUI. Instead it’s just a background process that communicates with the website driverhub.asus.com and tells you what drivers to install for your system and which ones need updating. Naturally I wanted to know more about how this website knew what drivers my system needed and how it was installing them, so I cracked open the Firefox network tab.
As I expected, the website uses RPC to talk to the background process running on my system. This is where the background process hosts an HTTP or Websocket service locally which a website or service can connect to by sending an API request to 127.0.0.1 on a predefined port, in this case 53000.
Right about now my elite hacker senses started tingling.
No longer a neutral state, Sweden is now facing a wave of cyberattacks targeting key institutions.
Sweden is under attack, Prime Minister Ulf Kristersson said on Wednesday, following three days of disruptions targeting public broadcaster SVT and other key institutions.
"We are exposed to enormous cyberattacks. Those on SVT have now been recognised, but banks and Bank-id have also been affected," Kristersson told journalists in parliament.
The attacks have been identified as Distributed Denial-of-Service (DDoS) events and disrupted services, raising concerns about the resilience of Sweden’s digital infrastructure.
While Kristersson did not name a specific perpetrator, he referred to earlier reports by the Swedish Security Service, which has identified Russia, China, and Iran as frequent actors behind such cyber operations.
The incidents have heightened concerns about vulnerabilities in Sweden’s cybersecurity systems and underscored the growing threat to critical infrastructure in one of the world’s most connected nations, where over 93% of households have internet access.
Cybersecurity experts have warned that such breaches could escalate, impacting not just digital services, but also public trust.
The attacks come amid heightened geopolitical tensions. Sweden's recent accession to NATO and its support for Ukraine have likely made it a more prominent target for cyberattacks, including those originating from hostile states.
Previously known for its military neutrality, Sweden now faces what Kristersson described earlier this year as a "new and more dangerous reality" since joining NATO in 2024.
As part of its pledge to meeting NATO's 2% of GDP defence spending target, the Swedish government has committed to invest heavily in cybersecurity and military capabilities.
Following major public exposures by Insikt Group and others throughout the last two years, alongside US government sanctions targeting the Intellexa Consortium — the organizational structure behind the Predator mobile spyware — Insikt Group observed a significant decline in Predator-related activity. This apparent decline raised questions about whether the combination of US sanctions, public exposure, and broader international efforts to curb spyware proliferation, such as the UK and France-led Pall Mall process, had dealt a lasting blow to Intellexa’s operations. Yet, Predator activity has not stopped, and in recent months, Insikt Group has observed a resurgence of activity, reflecting the operators’ continued persistence. While much of the identified infrastructure is tied to known Predator operators in countries previously identified by Insikt Group, a new customer has also been identified in Mozambique — a country not previously publicly linked to the spyware. This aligns with the broader observation that Predator is highly active in Africa, with over half of its identified customers located on the continent. Additionally, Insikt Group has found a connection between high-tier Predator infrastructure and a Czech entity previously associated with the Intellexa Consortium.
On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalists who consented to the technical analysis of their cases. In this report, we discuss key findings from our forensic analyses of their devices.
Researchers revealed on Thursday that two European journalists had their iPhones hacked with spyware made by Paragon. Apple says it has fixed the bug that was used to hack their phones.
The Citizen Lab wrote in its report, shared with TechCrunch ahead of its publication, that Apple had told its researchers that the flaw exploited in the attacks had been “mitigated in iOS 18.3.1,” a software update for iPhones released on February 10.
Until this week, the advisory of that security update mentioned only one unrelated flaw, which allowed attackers to disable an iPhone security mechanism that makes it harder to unlock phones.
On Thursday, however, Apple updated its February 10 advisory to include details about a new flaw, which was also fixed at the time but not publicized.
“A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” reads the now-updated advisory.
In the final version of its report published Thursday, The Citizen Lab confirmed this is the flaw used against Italian journalist Ciro Pellegrino and an unnamed “prominent” European journalist
It’s unclear why Apple did not disclose the existence of this patched flaw until four months after the release of the iOS update, and an Apple spokesperson did not respond to a request for comment seeking clarity.
The Paragon spyware scandal began in January, when WhatsApp notified around 90 of its users, including journalists and human rights activists, that they had been targeted with spyware made by Paragon, dubbed Graphite.
Then, at the end of April, several iPhone users received a notification from Apple alerting them that they had been the targets of mercenary spyware. The alert did not mention the spyware company behind the hacking campaign.
On Thursday, The Citizen Lab published its findings confirming that two journalists who had received that Apple notification were hacked with Paragon’s spyware.
It’s unclear if all the Apple users who received the notification were also targeted with Graphite. The Apple alert said that “today’s notification is being sent to affected users in 100 countries.”
Coup de tonnerre, en ce mardi 10 juin 2025. Le groupe malveillant Stormous revendique une cyberattaque contre les systèmes de l’Éducation nationale.
Il assure être en possession de données relatives à plus de 40 000 personnes et fournit, pour étayer ses allégations, un échantillon d’un peu moins de 1 400 lignes, soit autant de combinaison login/mot de passe, ou adresse mail/mot de passe. Et tout cela pour une poignée de services en ligne liés à l’Éducation nationale.
Mais cet échantillon suggère surtout que les allégations de Stormous sont fausses.
Nous l’avons confronté aux données de la plateforme Cavalier d’HudsonRock.
La conclusion s’impose rapidement : Stormous a commencé la divulgation d’une combolist vraisemblablement constituée en tout ou partie depuis d’innombrables logs de cleptogiciels (ou infostealers) partagés quotidiennement, gratuitement, et à tous les vents sur de multiples chaînes Telegram plus ou moins spécialisées. De quoi rappeler l’impressionnante liste ALIEN TXTBASE de la fin février.
L’Association suisse des banquiers (ASB) et le "Swiss Financial Sector Cyber Security Centre" (Swiss FS-CSC) sont favorables à la recommandation du comité allemand du secteur bancaire (GBIC) visant à modifier la norme FIDO2 – un changement jugé important, y compris du point de vue suisse, afin de rendre cette norme utilisable pour sécuriser les confirmations de transactions, et pas seulement pour permettre l’authentification lors des connexions.
Le GBIC préconise une extension de la norme FIDO2 afin de permettre l’affichage sécurisé des données de transaction par l’authentificateur. Actuellement, la norme est essentiellement axée sur la connexion à des plateformes et à des systèmes ainsi que sur l’utilisation du navigateur à des fins d’affichage. Le GBIC demande toutefois l’extension de la norme afin qu’elle puisse être utilisée pour un spectre plus large de transactions et d’activités. Dans le secteur bancaire, cela concerne principalement les services bancaires en ligne et les paiements par carte.
Nous sommes favorables à la proposition du GBIC visant à modifier la norme FIDO2. Nous sommes convaincus que cette modification serait également bénéfique pour le secteur bancaire suisse, car elle permettrait une utilisation plus large de FIDO2, au-delà de l’authentification lors des connexions. L’ASB et le Swiss FS-CSC soutiennent donc la proposition du GBIC visant à:
Suspected cybercriminals have created a fake installer for Chinese AI model DeepSeek-R1 and loaded it with previously unknown malware called "BrowserVenom".
The malware’s name reflects its ability to redirect all traffic from browsers through an attacker-controlled server.
This enables the crooks to steal data, monitor browsing activity, and potentially expose plaintext traffic. Credentials for websites, session cookies, financial account info, plus sensitive emails and documents are therefore all at risk – just the sort of info scammers seek so they can commit digital fraud and/or sell to other miscreants.
To date, the malware has infected "multiple" computers across Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. Kaspersky, which spotted a phishing campaign that spreads the malware by sending victims to a fake website that resembles the real DeepSeek homepage, said it continues to "pose a global threat.”
While the malware used in this campaign is new, the tactic of using interest in AI to spread nasty payloads is increasingly common.
Such campaigns use phishing sites whose domain names differ slightly from those operated by real AI vendors, and criminals use malicious ads and other tactics, so they appear prominently in search engine results. But instead of delivering the promised chatbot or AI tool, they infect unwitting victims with everything from credential- and wallet-stealing malware to ransomware and Windows-borking code.
This campaign used the URL https[:]//deepseek-platform[.]com.
The crims promoted that address to many potential victims by buying ads from Google, so it appeared as the top result when users searched for "deepseek r1".
An APT hacking group known as 'Stealth Falcon' exploited a Windows WebDav RCE vulnerability in zero-day attacks since March 2025 against defense and government organizations in Turkey, Qatar, Egypt, and Yemen.
Stealth Falcon (aka 'FruityArmor') is an advanced persistent threat (APT) group known for conducting cyberespionage attacks against Middle East organizations.
The flaw, tracked under CVE-2025-33053, is a remote code execution (RCE) vulnerability that arises from the improper handling of the working directory by certain legitimate system executables.
Specifically, when a .url file sets its WorkingDirectory to a remote WebDAV path, a built-in Windows tool can be tricked into executing a malicious executable from that remote location instead of the legitimate one.
This allows attackers to force devices to execute arbitrary code remotely from WebDAV servers under their control without dropping malicious files locally, making their operations stealthy and evasive.
The vulnerability was discovered by Check Point Research, with Microsoft fixing the flaw in the latest Patch Tuesday update, released yesterday.
