Understand the mechanics, risks, and the future of IMSI catching (a.k.a. stealing your cellular ID) in 2025. Read our primer on this niche form of hacking.
The GSM (better known as 2G) protocol has a security vulnerability that exposes a user’s personal identifier (IMSI) in the clear, allowing for attribution and geolocation. This vulnerability is also in the UMTS (a.k.a. 3G) spec, and in the LTE (4G) spec. While the vulnerability was finally addressed in NR (5G), it’s imperfect and remains an exploitable 5G network vulnerability… and my favorite cybersecurity topic.
How to block an IMSI catcher
There’s no way to block an IMSI catcher. The only simple thing you can do, that can have an effect, is to set your network priority to 5G-SA – but most phones don’t support this feature.
If you’re really paranoid, stay in airplane mode until you’re in a very dense coverage area. While this is far from a guarantee, IMSI catchers are more likely to be sitting in areas with compromised signal quality.
Finally, you can keep your phone in a Faraday bag, which can provide up to 100 dB of signal attenuation. GSM
How luxury cars, $500,000 bar tabs and a mysterious kidnapping attempt helped investigators unravel the heist of a lifetime.
In the balmy late afternoon of Aug. 25, 2024, Sushil and Radhika Chetal were house-hunting in Danbury, Conn., in an upscale neighborhood of manicured yards and heated pools. Sushil, a vice president at Morgan Stanley in New York, was in the driver’s seat of a new matte gray Lamborghini Urus, an S.U.V. with a price tag starting around $240,000. As they turned a corner, the Lamborghini was suddenly rammed from behind by a white Honda Civic. At the same time, a white Ram ProMaster work van cut in front, trapping the Chetals. According to a criminal complaint filed after the incident, a group of six men dressed in black and wearing masks emerged from their vehicles and forced the Chetals from their car, dragging them toward the van’s open side door.
After the August 2024 crypto heist, ZachXBT was able to track Lam through what’s called OSINT — open-source intelligence. In other words, social media. In Com chat groups, word was spreading that Lam was on a wild spending spree. Nobody seemed to know the source of his money, but they spoke of his lavish exploits at Los Angeles nightclubs. ZachXBT researched the most popular nightclubs in the city and then searched Instagram stories from partyers and the clubs themselves. In one post, Malone was filmed wearing a white Moncler jacket and what appeared to be diamond rings and diamond-encrusted sunglasses. He stood up on the table and began showering the crowd with hundred-dollar bills. As money rained down, servers paraded in $1,500 bottles of Champagne topped with sparklers and held up signs that read “@Malone.” He spent $569,528 in one evening alone. At one nightclub, Lam and his crew trolled ZachXBT, getting clubgoers to hold up signs reading “TOLD U WE’D WIN,” while another read, “[Expletive] ZACHXBT.”
Microsoft synchronization capabilities for managing identities in hybrid environments are not without their risks. In this blog, Tenable Research explores how potential weaknesses in these synchronization options can be exploited.
Synchronizing identity accounts between Microsoft Active Directory (AD) and Entra ID is important for user experience, as it seamlessly synchronizes user identities, credentials and groups between on-premises and cloud-based systems. At the same time, Tenable Research shows the following synchronization options can introduce cybersecurity risk that extend beyond hybrid tenants:
the already known Directory Synchronization Accounts Entra role
the new On Premises Directory Sync Account Entra role
the new Microsoft Entra AD Synchronization Service application
In 2024, Microsoft introduced two new security hardening measures for hybrid Entra ID synchronization. However, despite these improvements, both the Directory Synchronization Accounts and the new On Premises Directory Sync Account roles retain access to critical synchronization APIs. Moreover, the new 'Microsoft Entra AD Synchronization Service' application exposes the privileged ADSynchronization.ReadWrite.All permission, introducing another potential attack path that security teams must watch closely.
In this technical blog, we break down the changes Microsoft made to each of its synchronization options, explore where new risks were introduced and provide guidance on how Tenable Identity Exposure can help you monitor and secure your hybrid synchronization environment.
April 23, 2025
The Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) has released its latest annual report. The 2024 Internet Crime Report combines information from 859,532 complaints of suspected internet crime and details reported losses exceeding $16 billion—a 33% increase in losses from 2023.
The top three cyber crimes, by number of complaints reported by victims in 2024, were phishing/spoofing, extortion, and personal data breaches. Victims of investment fraud, specifically those involving cryptocurrency, reported the most losses—totaling over $6.5 billion.
According to the 2024 report, the most complaints were received from California, Texas, and Florida. As a group, people over the age of 60 suffered the most losses at nearly $5 billion and submitted the greatest number of complaints.
“Reporting is one of the first and most important steps in fighting crime so law enforcement can use this information to combat a variety of frauds and scams,” said FBI Director, Kash Patel. “The IC3, which is celebrating its 25th anniversary this year, is only as successful as the reports it receives; that’s why it’s imperative that the public immediately report suspected cyber-enabled criminal activity to the FBI.”
To promote public awareness, the IC3 produces an annual report to aggregate and highlight the data provided by the general public. The quality of the data is a direct reflection of the information the public provides through the IC3 website. The IC3 standardizes the data by categorizing each complaint and analyzes the data to identify and forecast trends in internet crime. The annual report helps the FBI develop effective relationships with industry partners and share information for investigative and intelligence purposes for law enforcement and public awareness.
The IC3, which was established in May 2000, houses nine million complaints from the public in its database and continues to encourage anyone who thinks they’ve been the victim of a cyber-enabled crime, regardless of dollar loss, to file a complaint through the IC3 website. The more comprehensive complaints the FBI receives, the more effective it will be in helping law enforcement gain a more accurate picture of the extent and nature of internet-facilitated crimes.
The FBI recommends that everyone frequently review consumer and industry alerts published by the IC3. If you or your business are a victim of an internet crime, immediately notify all financial institutions involved in the relevant transactions, submit a complaint to www.ic3.gov, contact your nearest FBI field office, and contact local law enforcement.
Learn more about the history of IC3 by listening to this previously released FBI podcast episode: Inside the FBI: IC3 Turns 20.
Hannah Neumann was targeted in a cyber-espionage operation by an infamous Iranian hacking group earlier this year, she said.
A prominent European Parliament member was the victim of what is believed to be a cyber-espionage operation tied to her role as chair of the chamber's Iran delegation, she told POLITICO.
The office of Hannah Neumann, a member of the German Greens and head of the delegation spearheading work on European Union-Iran relations, was targeted by a hacking campaign that started in January, she said. Her staff was contacted with messages, phone calls and emails by hackers impersonating a legitimate contact. They eventually managed to target a laptop with malicious software.
"It was a very sophisticated attempt using various ways to manage that someone accidentally opens a link, including putting personal pressure on them," Neumann said.
Google intelligence report finds UK is a particular target of IT worker ploy that sends wages to Kim Jong Un’s state
British companies are being urged to carry out job interviews for IT workers on video or in person to head off the threat of giving jobs to fake North Korean employees.
The warning was made after analysts said that the UK had become a prime target for hoax IT workers deployed by the Democratic People’s Republic of Korea. They are typically hired to work remotely, enabling them to escape detection and send their wages to Kim Jong-un’s state.
Google said in a report this month that a case uncovered last year involved a single North Korean worker deploying at least 12 personae across Europe and the US. The IT worker was seeking jobs within the defence industry and government sectors. Under a new tactic, the bogus IT professionals have been threatening to release sensitive company data after being fired.
Despite their hacktivist front, CyberAv3ngers is a rare state-sponsored hacker group bent on putting industrial infrastructure at risk—and has already caused global disruption.
The intermittent cyberwar between Israel and Iran, stretching back to Israel's role in the creation and deployment of the Stuxnet malware that sabotaged Iran's nuclear weapons program, has been perhaps the longest-running conflict in the era of state-sponsored hacking. But since Hamas' October 7 attack and Israel's retaliatory invasion of Gaza, a new player in that conflict threatens not just digital infrastructure in Israel but also critical systems in the US and around the world.
The group known as CyberAv3ngers has, in the last year and a half, proven to be the Iranian government's most active hackers focused on industrial control systems. Its targets include water, wastewater, oil and gas, and many other types of critical infrastructure. Despite being operated by members of Iran's Revolutionary Guard Corps, according to US officials who have offered a $10 million bounty for information leading to their arrest, the group initially took on the mantle of a “hacktivist” campaign.
In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild.
In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild. The disclosure of known exploited vulnerabilities was from 50 different sources. We continue to see vulnerabilities being exploited at a fast pace with 28.3% of vulnerabilities being exploited within 1-day of their CVE disclosure. This trend continues from a similar pace we saw in 2024. This demonstrates the need for defenders to move fast on emerging threats while continuing to burn down their vulnerability debt.
Here are the key take-aways from our analysis and coverage of known exploited vulnerabilities:
In this two-part series, SpiderLabs explores the malicious traffic associated with Proton66, revealing the extent and nature of these attacks.
Mass scanning and exploit campaigns targeting multiple sectors
Starting from January 8, 2025, SpiderLabs observed an increase in mass scanning, credential brute forcing, and exploitation attempts originating from Proton66 ASN targeting organizations worldwide. Although malicious activity was seen in the past, the spike and sudden decline observed later in February 2025 were notable, and offending IP addresses were investigated.
AS198953, belonging to Proton66 OOO, consists of five net blocks, which are currently listed on blocklists such as Spamhaus due to malicious activity. Net blocks 45.135.232.0/24 and 45.140.17.0/24 were particularly active in terms of mass scanning and brute force attempts. Several of the offending IP addresses were not previously seen to be involved in malicious activity or were inactive for over two years. For instance, the last activities reported in AbuseIPDB for the IP addresses 45.134.26.8 and 45.135.232.24 were noted in November and July 2021, respectively.
A Chinese startup, Sand AI, appears to be blocking certain politically sensitive images from its online video generation tool.
A China-based startup, Sand AI, has released an openly licensed, video-generating AI model that’s garnered praise from entrepreneurs like the founding director of Microsoft Research Asia, Kai-Fu Lee. But Sand AI appears to be censoring the hosted version of its model to block images that might raise the ire of Chinese regulators from the hosted version of the model, according to TechCrunch’s testing.
Earlier this week, Sand AI announced Magi-1, a model that generates videos by “autoregressively” predicting sequences of frames. The company claims the model can generate high-quality, controllable footage that captures physics more accurately than rival open models.
Microsoft security chief Charlie Bell says the SFI’s 28 objectives are “near completion” and that 11 others have made “significant progress.”
Microsoft, touting what it calls “the largest cybersecurity engineering project in history,” says it has moved every Microsoft Account and Entra ID token‑signing key into hardware security modules or Azure confidential VMs with automatic rotation, an overhaul meant to block the key‑theft tactic that fueled an embarrassing nation‑state breach at Redmond.
Just 18 months after rolling out a Secure Future Initiative in response to the hack and a scathing US government report that followed, Microsoft security chief Charlie Bell said five of the program’s 28 objectives are “near completion” and that 11 others have made “significant progress.”
In addition to the headline fix to put all Microsoft Account and Entra ID token‑signing keys in hardware security modules or Azure confidential virtual machines, Bell said more than 90 percent of Microsoft’s internal productivity accounts have moved to phishing‑resistant multi factor authentication and that 90 percent of first‑party identity tokens are validated through a newly hardened software‑development kit.
The firm has stopped taking orders on its website and apps, including for food and clothes.
Marks & Spencer (M&S) says it has stopped taking online orders as the company struggles to recover from a cyber attack.
Customers began reporting problems last weekend, and on Tuesday the retailer confirmed it was facing a "cyber incident".
Now, M&S has entirely paused orders on its website and apps - including for food deliveries and clothes - and says it will refund orders placed by customers on Friday.
The firm's shares fell by 5% following the announcement, before recovering.
Online orders remained paused on Saturday morning.
"We are truly sorry for this inconvenience," the retailer wrote in a post on X.
"Our experienced team - supported by leading cyber experts - is working extremely hard to restart online and app shopping.
"We are incredibly grateful to our customers, colleagues and partners for their understanding and support."
Bell Ambulance and Alabama Ophthalmology Associates have suffered data breaches affecting over 100,000 people after being targeted in ransomware attacks.
One of them is Milwaukee, WI-based Bell Ambulance, which provides ambulance services in the area. The company revealed last week in a data security notice that it detected a network intrusion on February 13, 2025.
An investigation showed that hackers gained access to files containing information such as name, date of birth, SSN, and driver’s license number, as well as financial, medical and health insurance information.
Bell Ambulance did not say in its public notice how many individuals are impacted, but the Department of Health and Human Services (HHS) data breach tracker revealed on Monday that 114,000 people are affected.
The Medusa ransomware group announced hacking Bell Ambulance in early March, claiming to have stolen more than 200 Gb of data from its systems.
The second healthcare organization to confirm a data breach impacting more than 100,000 people is Birmingham, AL-based ophthalmology practice Alabama Ophthalmology Associates.
SK Telecom, South Korea’s largest telecom company, disclosed a data leak involving a malware infection.
SK Telecom is South Korea’s largest wireless carrier — it has tens of millions of subscribers and holds roughly half of the local market.
The company revealed on Tuesday in a Korean-language statement posted on its website that it detected an intrusion on April 19. An investigation showed that the attackers deployed malware and managed to obtain personal information belonging to customers.
Following the incident, SK Telecom is offering customers a free SIM protection service designed to prevent SIM swapping, which suggests that the leaked data could be leveraged for such activities.
A detailed analysis of a multi-stage card skimming attack exploiting outdated Magento software and fake image files.
In today’s post we’re going to review a sophisticated, multi-stage carding attack on a Magento eCommerce website. This malware leveraged a fake gif image file, local browser sessionStorage data, and tampered with the website traffic using a malicious reverse-proxy server to facilitate the theft of credit card data, login details, cookies, and other sensitive data from the compromised website.
The client was experiencing some strange behaviour on their checkout page, including clients unable to input their card details normally, and orders not going through. They contacted us for assistance. Thinking this would be a straightforward case of credit card theft instead what we found was actually a fascinating and rather advanced malware which we will explore in detail in this post.
A new attack technique named Policy Puppetry can break the protections of major gen-AI models to produce harmful outputs.
SAP has released out-of-band emergency NetWeaver updates to fix a suspected remote code execution (RCE) zero-day flaw actively exploited to hijack servers.
MTN Group said an “unknown third-party has claimed to have accessed data linked” to parts of its system and that the incident “resulted in unauthorised access to personal information of some MTN customers in certain markets.”
A surveillance tool meant to keep tabs on employees is leaking millions of real-time screenshots onto the open web.
Your boss watching your screen isn't the end of the story. Everyone else might be watching, too. Researchers at Cybernews have uncovered a major privacy breach involving WorkComposer, a workplace surveillance app used by over 200,000 people across countless companies.
The app, designed to track productivity by logging activity and snapping regular screenshots of employees’ screens, left over 21 million images exposed in an unsecured Amazon S3 bucket, broadcasting how workers go about their day frame by frame.
Singaporean businessman Lu Heng is poised to capture Africa’s regional IP address regulator, and with it, the keys to control of much of the world's remaining IPv4 addresses
People playing Blizzard's RTS have spent the last year complaining about hackers doing terrible shit
ReliaQuest has observed SAP NetWeaver incidents with unauthorized file uploads and malicious execution, hinting at a possible unreported vulnerability.
M-Trends 2025 data is based on more than 450,000 hours of Mandiant Consulting investigations. The metrics are based on investigations of targeted attack activity conducted between Jan. 1, 2024 and Dec. 31, 2024. Key findings in M-Trends 2025 include:
55% of threat groups active in 2024 were financially motivated, which marks a steady increase, and 8% of threat groups were motivated by espionage.
Exploits continue to be the most common initial infection vector (33%), and for the first time stolen credentials rose to the second most common in 2024 (16%).
The top targeted industries include financial (17.4%), business and professional services (11.1%), high tech (10.6%), government (9.5%), and healthcare (9.3%).
Global median dwell time rose to 11 days from 10 days in 2023. Global median dwell time was 26 days when external entities notified, 5 days when adversaries notified (notably in ransomware cases), and 10 days when organizations discovered malicious activity internally.
M-Trends 2025 dives deep into the aforementioned infostealer, cloud, and unsecured data repository trends, and several other topics, including:
Democratic People's Republic of Korea deploying citizens as remote IT contractors, using false identities to generate revenue and fund national interests.
Iran-nexus threat actors ramping up cyber operations in 2024, notably targeting Israeli entities and using a variety of methods to improve intrusion success.
Attackers targeting cloud-based stores of centralized authority, such as single sign-on portals, to gain broad access.
Increased targeting of Web3 technologies such as cryptocurrencies and blockchains for theft, money laundering, and financing illicit activities.
In a sanctions package including more than 150 new measures, the British government said it was closing loopholes being exploited by the Kremlin.
We've previously, publicly and privately, analysed vulnerabilities in various ‘Backup and Replication’ platforms, including those offered by Veeam and NAKIVO - both of which have struggled to avoid scrutiny and in some cases, even opting to patch issues silently.
However, we’re glad to see that sense prevails - kudos to NAKIVO for acknowledging CVE-2024-48248 from our previous research and publicly responding to a new XXE vulnerability (CVE-2025-32406).
Backup and Replication solutions have become prime targets for ransomware operators for logical reasons — Veeam, for instance, has already seen widespread exploitation in the wild.
GreyNoise observed a 9X spike in suspicious scanning activity targeting Ivanti Connect Secure or Ivanti Pulse Secure VPN systems. More than 230 unique IPs probed ICS/IPS endpoints. This surge may indicate coordinated reconnaissance and possible preparation for future exploitation.
Combined with AI, polymorphic phishing emails have become highly sophisticated, creating more personalized and evasive messages that result in higher attack success rates.
Learn how JFrog detected a malicious package that steals MEXC credentials and crypto trading tokens to buy and sell futures on crypto trading platforms.
Between Sunday 14 April and Wednesday 17 April a total of 70 addresses were searched across the world, resulting in the arrest of 37 suspects. This includes the arrest of 4 individuals in the United Kingdom linked to the running of the site, including the original developer of the service.The LabHost platform, previously available on the open web, has been...
Discover advanced phishing techniques bypassing email security—Intezer reveals threats hidden in SVGs, PDFs, OneDrive, and OpenXML files.
In a previous article of JPCERT/CC Eyes, we reported on SPAWNCHIMERA malware, which infects the target after exploiting the vulnerability in Ivanti Connect Secure. However, this is not the only malware observed in recent attacks. This time, we focus on another malware DslogdRAT and a web shell that were installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024.
Key Findings The number of publicly-mentioned and extorted victims in Q1 reached the highest ever number, with a 126% increase year-over-year. Cl0p
Silent and undetectable initial access is the cornerstone of a cyberattack. MFA is there to stop unauthorized access, but attackers are constantly evolving.
This update outlines what happened, what we’ve done so far, and the actions we are taking to prevent it from happening in the future.
The official XPRL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets.
Like any garden, the digital landscape experiences the emergence of unexpected blooms. Among the helpful flora of browser and application extensions, some appear with intentions less than pure. These deceptive ones, often born from a fleeting desire for illicit gain or mischievous disruption, may possess a certain transient beauty in their ingenuity. They arrive, sometimes subtly flawed in their execution, yet are driven by an aspiration to infiltrate our digital lives, to harvest our data, or to simply sow chaos.
Thousands of students, teachers and administrators had information stolen from the Baltimore City Public Schools system during a ransomware attack in February.
FortiGuard Labs recently discovered a new botnet propagating through TOTOLINK devices. Learn more about this malware targeting these devices.
Cisco has released security updates for a high-severity Webex vulnerability that allows unauthenticated attackers to gain client-side remote code execution using malicious meeting invite links.
ASUS recently disclosed a critical security vulnerability affecting routers that have AiCloud enabled, potentially allowing remote attackers to perform unauthorized execution functions on vulnerable devices.
The vulnerability is being tracked as CVE-2025-2492 and was given a CVSS score of 9.2 on a 10.0 scale, making it classified as critical.
According to ASUS researchers, the "improper authentication control vulnerability," which only exists in certain ASUS router firmware series, can be triggered by a "crafted request" on behalf of the attackers.
The Federal Bureau of Investigation (FBI) warns the public about an ongoing fraud scheme where criminal scammers are impersonating FBI Internet Crime Complaint Center (IC3) employees to deceive and defraud individuals. Between December 2023 and February 2025, the FBI received more than 100 reports of IC3 impersonation scams.
Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) accounts of targeted individuals. This activity comes on the heels of attacks Volexity reported on back in February 2025, where Russian threat actors were discovered targeting users and organizations through Device Code Authentication phishing...
The Sysdig Threat Research Team (TRT) has discovered CVE-2025-32955, a now-patched vulnerability in Harden-Runner, one of the most popular GitHub Action CI/CD security tools. Exploiting this vulnerability allows an attacker to bypass Harden-Runner’s disable-sudo security mechanism, effectively evading detection within the continuous integration/continuous delivery (CI/CD) pipeline under certain conditions. To mitigate this risk, users are strongly advised to update to the latest version.
The CVE has been assigned a CVSS v3.1 base score of 6.0.
Learn how a convincing Google spoof used a DKIM replay attack to bypass email security and trick users with a fake subpoena. A real-world phishing example you need to see.
In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Google's systems, passing all verifications but pointing to a fraudulent page that collected logins.
Windows administrators from numerous organizations report widespread account lockouts triggered by false positives in the rollout of a new Microsoft Entra ID's
This report details a newly identified and active fraud campaign, highlighting the emergence of sophisticated mobile malware leveraging innovative techniques:
Malicious npm packages posing as Telegram bot libraries install SSH backdoors and exfiltrate data from Linux developer machines.
When our CEO received an invitation to appear on “Bloomberg Crypto,” he immediately recognized the hallmarks of a sophisticated social engineering campaign. What appeared to be a legitimate media opportunity was, in fact, the latest operation by ELUSIVE COMET—a threat actor responsible for millions in cryptocurrency theft through carefully constructed social engineering attacks.
This post details our encounter with ELUSIVE COMET, explains their attack methodology targeting the Zoom remote control feature, and provides concrete defensive measures organizations can implement to protect themselves.
