theregister.com - Exclusive Aviation insiders say Serbia's national airline, Air Serbia, was forced to delay issuing payslips to staff as a result of a cyberattack it is battling.
Internal memos, seen by The Register, dated July 10 told staff: "Given the current situation and the ongoing cyberattacks, for security reasons, we will postpone the distribution of the June 2025 payslips.
"The IT department is working to resolve the issue as a priority, and once the conditions allow, the payslips will be sent to your email addresses."
Staff were reportedly paid their monthly salaries, but access to their payslip PDF was unavailable.
HR warned staff earlier in the day against opening emails that appeared to be related to payslips, or those that mention the staff members' first and last names "as if you sent them to yourself."
"We also kindly ask that you act responsibly given the current situation."
According to other internal comms seen by The Register, Air Serbia's IT team began emailing staff warning them that it was facing a cyberattack on July 4.
"Our company is currently facing cyberattacks, which may lead to temporary disruptions in business processes," they read.
"We kindly ask all managers to promptly create a work plan adapted to the changed circumstances, in accordance with the Business Continuity Plan, and to communicate it to their teams as soon as possible."
The same email communication chain mentioned the company's IT and security manager issuing a staff-wide password reset and installing security-scanning software on their machines on July 7.
All service accounts were killed at this point, which affected several automated processes, and datacenters were added to a demilitarized zone, which led to issues with users not being able to sync their passwords.
Additionally, internet access was removed for all endpoints, leaving only a certain few whitelisted pages under the airserbia.com domain available.
IT also installed a new VPN client "due to identified security vulnerabilities."
"We kindly ask you to take this situation seriously and fully cooperate with the IT team," the memo reads. "Please allow them to install the necessary software as efficiently as possible and carefully follow any further instructions they provide."
Two days after this, another wave of password resets came, the source said. Instead of allowing users to choose their own, the replacements followed a template from the sysadmins.
On July 11, IT issued a third wave of password resets, and staff were asked to leave their PCs locked but open before heading home for the weekend, so the IT team could continue working on them.
A source familiar with the matter, who spoke to The Register on condition of anonymity, said Air Serbia is trying to clean up a cyberattack that led to a deep compromise of its Active Directory.
As of July 14, the source claimed the airline's blue team has not fully eradicated the attackers' access to the company network and is not sure when the attackers broke in, due to a lack of security logs, although it is thought to be in the first few days of July.
The attack at the company, which is government-owned, is likely to have led to personal data compromise, the insider suspects, and some staff expressed concern that the company might not publicly disclose the intrusion.
WASHINGTON, July 15 (Reuters) - A U.S. state's Army National Guard network was thoroughly hacked by a Chinese cyberespionage group nicknamed "Salt Typhoon," according to a Department of Homeland Security memo.
The memo obtained by Property of the People, a national security transparency nonprofit, said the hackers "extensively compromised" the unnamed state Army National Guard's network between March and December 2024 and exfiltrated maps and "data traffic" with counterparts' networks in "every other US state and at least four US territories."
he National Guard and the Department of Homeland Security's cyber defense arm, CISA, did not immediately return messages. News of the memo was first reported by NBC News.
Salt Typhoon has emerged as one of the top concerns of American cyber defhen Coatesenders. U.S. officials allege that the hacking group is doing more than just gathering intelligence; it is prepositioning itself to paralyze U.S. critical infrastructure in case of a conflict with China. Beijing has repeatedly denied being behind the intrusions.
The memo, which said it drew on reporting from the Pentagon, said that Salt Typhoon's success in compromising states' Army National Guard networks nationwide "could undermine local cybersecurity efforts to protect critical infrastructure," in part because such units are often "integrated with state fusion centers responsible for sharing threat information—including cyber threats."
Jun 18, 2025, 19:09 GMT+1
Iran’s state broadcaster was hacked Wednesday night, with videos calling for street protests briefly aired.
Footage circulated on social media showed protest-themed clips interrupting regular programming.
"If you experience disruptions or irrelevant messages while watching various TV channels, it is due to enemy interference with satellite signals," state TV said.
The hacking of the programming on Wednesday night was limited to satellite transmissions, the Islamic Republic of Iran Broadcasting (IRIB) said.
The hack into the account of the country’s top security official has drawn criticism online.
Malaysia’s home minister had his WhatsApp account hacked and then abused to send malicious links to his contacts, according to police.
The attacker reportedly used a virtual private network (VPN) to compromise the account of Datuk Seri Saifuddin Nasution Ismail, authorities said at a press conference on Friday, adding that no victims have reported financial losses so far. They did not elaborate on how the hack was carried out.
The Ministry of Home Affairs, which oversees law enforcement, immigration and censorship, confirmed the incident and urged the public not to respond to any messages or calls claiming to be from the minister, especially those involving financial or personal requests.
The breach is under investigation and law enforcement is working to determine the hacker’s location.
Mobile phishing scams have become increasingly common in Malaysia. Local media have reported that citizens are frequently targeted by fraudsters posing as police, bank officials or court representatives.
The recent WhatsApp incident follows similar attacks on other high-ranking officials. In March, scammers hijacked the WhatsApp account of parliamentary speaker Johari Abdul and tricked some of his contacts into sending money. In 2022, threat actors accessed Telegram and Signal accounts belonging to former Prime Minister Ismail Sabri. And in 2015, hackers took over the Royal Malaysia Police’s Twitter and Facebook accounts, posting pro-Islamic State group messages.
Nasution Ismail faced online criticism and ridicule following the WhatsApp hack, with local media reporting that citizens questioned the strength of Malaysia’s cybersecurity measures, given that the country’s top security official had been successfully targeted by hackers.
US man who hacked SEC’s X account to spike Bitcoin price sentenced to prison
Eric Council Jr., 26, was sentenced to 14 months in prison and three years of supervised release on Friday for participating in the hack of the official X account of the U.S. Securities and Exchange Commission.
The U.S. Department of Justice announced the sentencing in a press release. Council and other hackers took over the SEC’s X account in 2024 to falsely announce that the agency had approved Bitcoin exchange traded funds, or ETFs, which shot up the price of the cryptocurrency before later dropping.
According to the DOJ, Council and his co-conspirators performed a SIM swap attack against the cellphone account of a person who had access to the SEC’s X account, which allowed the hackers to take control of their phone number. From there, the hackers reset the password of the SEC’s X account, granting them control of the account.
The presence of credentials in leaked “stealer logs” indicates his device was infected.
Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware, a strong indication that devices belonging to him have been hacked in recent years.
Kyle Schutt is a 30-something-year-old software engineer who, according to Dropsite News, gained access in February to a “core financial management system” belonging to the Federal Emergency Management Agency. As an employee of DOGE, Schutt accessed FEMA’s proprietary software for managing both disaster and non-disaster funding grants. Under his role at CISA, he likely is privy to sensitive information regarding the security of civilian federal government networks and critical infrastructure throughout the US.
A steady stream of published credentials
According to journalist Micah Lee, user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware. Stealer malware typically infects devices through trojanized apps, phishing, or software exploits. Besides pilfering login credentials, stealers can also log all keystrokes and capture or record screen output. The data is then sent to the attacker and, occasionally after that, can make its way into public credential dumps.
“I have no way of knowing exactly when Schutt's computer was hacked, or how many times,” Lee wrote. “I don't know nearly enough about the origins of these stealer log datasets. He might have gotten hacked years ago and the stealer log datasets were just published recently. But he also might have gotten hacked within the last few months.”
A messaging service used by former National Security Advisor Mike Waltz has temporarily shut down while the company investigates an apparent hack. The messaging app is used to access and archive Signal messages but is not made by Signal itself.
404 Media reported yesterday that a hacker stole data "from TeleMessage, an obscure Israeli company that sells modified versions of Signal and other messaging apps to the US government to archive messages." 404 Media interviewed the hacker and reported that the data stolen "contains the contents of some direct messages and group chats sent using [TeleMessage's] Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat."
TeleMessage is based in Israel and was acquired in February 2024 by Smarsh, a company headquartered in Portland, Oregon. Smarsh provided a statement to Ars today saying it has temporarily shut down all TeleMessage services.
"TeleMessage is investigating a recent security incident," the statement said. "Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation. Out of an abundance of caution, all TeleMessage services have been temporarily suspended. All other Smarsh products and services remain fully operational."
Last week, Waltz was photographed using the TeleMessage Signal app on his phone during a White House cabinet meeting. Waltz's ability to secure sensitive government communications has been in question since he inadvertently invited The Atlantic Editor-in-Chief Jeffrey Goldberg to a Signal chat in which top Trump administration officials discussed a plan for bombing Houthi targets in Yemen.
Waltz was removed from his post late last week, with Trump nominating him to serve as ambassador to the United Nations.
TeleMessage, a company that makes a modified version of Signal that archives messages for government agencies, was hacked.
A hacker has breached and stolen customer data from TeleMessage, an obscure Israeli company that sells modified versions of Signal and other messaging apps to the U.S. government to archive messages, 404 Media has learned. The data stolen by the hacker contains the contents of some direct messages and group chats sent using its Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat. TeleMessage was recently the center of a wave of media coverage after Mike Waltz accidentally revealed he used the tool in a cabinet meeting with President Trump.
The hack shows that an app gathering messages of the highest ranking officials in the government—Waltz’s chats on the app include recipients that appear to be Marco Rubio, Tulsi Gabbard, and JD Vance—contained serious vulnerabilities that allowed a hacker to trivially access the archived chats of some people who used the same tool. The hacker has not obtained the messages of cabinet members, Waltz, and people he spoke to, but the hack shows that the archived chat logs are not end-to-end encrypted between the modified version of the messaging app and the ultimate archive destination controlled by the TeleMessage customer.
SK Telecom, South Korea’s largest telecom company, disclosed a data leak involving a malware infection.
SK Telecom is South Korea’s largest wireless carrier — it has tens of millions of subscribers and holds roughly half of the local market.
The company revealed on Tuesday in a Korean-language statement posted on its website that it detected an intrusion on April 19. An investigation showed that the attackers deployed malware and managed to obtain personal information belonging to customers.
Following the incident, SK Telecom is offering customers a free SIM protection service designed to prevent SIM swapping, which suggests that the leaked data could be leveraged for such activities.
The crosswalk buttons, which include audio alerts, were hacked over the weekend.
The Office of the Comptroller of the Currency (OCC) today notified Congress of a major information security incident, as required by the Federal Information Security Modernization Act.
This finding is the result of internal and independent third-party reviews of OCC emails and email attachments that were subject to unauthorized access. On February 11, 2025, the OCC learned of unusual interactions between a system administrative account in its office automation environment and OCC user mailboxes. On February 12, the OCC confirmed the activity was unauthorized and immediately activated its incident response protocols which include initiating an independent third-party incident assessment and reporting the incident to the Cybersecurity and Infrastructure Security Agency. On February 12, the OCC disabled the compromised administrative accounts and confirmed that the unauthorized access had been terminated. The OCC provided public notice of the incident on February 26.
"Don't do crime," the ransomware gang's dark web leak site reads.
Dubbed “BlackLock” (aka "El Dorado" or "Eldorado"), the ransomware-as-a-service (RaaS) outfit has existed since March 2024. In Q4 of last year, it increased its number of data leak posts by a staggering 1,425% quarter-on-quarter. According to independent reporting, a relatively new group has rapidly accelerated attacks and could become the most dominant RaaS group in 2025.
Fortunately, it will not happen due to certain events happening "behind the scenes." As you may know, Christmas and Winter Holidays are the best times for cybercriminals to attack, defraud, and extort victims globally. But in some cases, they may expect unexpected gifts too. Around that time, Resecurity identified a vulnerability present at the Data Leak Site (DLS) of BlackLock in the TOR network - successful exploitation of which allowed our analysts to collect substantial intelligence about their activity outside of the public domain.
You know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing list for this blog. I'm deliberately keeping this post very succinct to ensure the message goes out to my impacted subscribers ASAP, then I'll update the post with more details.
Unbekannte sind in das Mailkonto von Säckelmeister Ruedi Eberle eingedrungen. Dank des Sicherheitssystems konnte eine Weiterverbreitung rasch unterbunden werden. Nach aktuellem Stand sind weder Daten verloren gegangen noch weitere Konten der kantonalen Verwaltung betroffen.
The department notified lawmakers of the episode, which it said was linked to a state-sponsored actor in China.
In a letter informing lawmakers of the episode, the Treasury Department said that it had been notified on Dec. 8 by a third-party software service company, BeyondTrust, that the hacker had obtained a security key that allowed it to remotely gain access to certain Treasury workstations and documents on them
Learn how Nautilus threat-hunting operation analyzed attackers exploiting misconfigured JupyterLab for illegal stream ripping with Traceeshark.
"It could have been worse," one owner incredibly concluded.
Defense contractor gets hacked – what's the worst that could happen
Rapid7 investigated suspicious behavior emanating from the installation of Notezilla, RecentX, & Copywhiz. These installers are distributed by Conceptworld.
