InfoSec News Nuggets 4/15/2025 15 Apr 2025, 12:14 pm

China Admitted to Volt Typhoon Cyberattacks on US Critical Infrastructure

In a secret meeting that took place late last year between Chinese and American officials, the former confirmed that China had conducted cyberattacks against US infrastructure as part of the campaign known as Volt Typhoon, according to The Wall Street Journal. The meeting took place at a Geneva summit in December and involved members of the outgoing Biden administration. The US officials who were present were startled by China’s admission, people familiar with the matter told WSJ [paywalled article].

Data Breach at Planned Parenthood Lab Partner Exposes Info of 1.6M

Data breach at Laboratory Services Cooperative (LSC) exposed the sensitive health and personal information of 1.6 million individuals linked to select Planned Parenthood centers. Learn if you’re affected and what data was compromised. A US-based lab testing services provider, Laboratory Services Cooperative (LSC), has confirmed that hackers broke into their computer systems in October 2024 and got the personal information of about 1.6 million people.

Where it Hertz: Customer data driven off in Cleo attacks

Car hire giant Hertz has confirmed that customer information was stolen during the zero-day data raids on Cleo file transfer products last year. A breach notification was issued on Monday on behalf of Hertz, Dollar, and Thrifty brands, suggesting customers of all three Hertz Corporation-owned car hire businesses were affected. Hertz didn’t detail the number of customers exposed but said names, contact information, dates of birth, credit cards, driver’s license information, and details related to workers’ compensation claims were involved.

Court dismisses insurers’ breach claims against Blackbaud over 2020 cyberattack

A Delaware state court has dismissed two lawsuits brought by Travelers Casualty and Surety Company of America and Philadelphia Indemnity Insurance Company against software provider Blackbaud, Inc., rejecting the insurers’ efforts to recoup breach-related costs they paid to nonprofit and educational institutions after a 2020 ransomware attack. In an April 3, 2025 decision, Judge Kathleen M. Miller of the Superior Court of Delaware ruled that both amended complaints failed to state viable subrogation claims or adequately plead breach of contract. The dismissal, issued with prejudice, ends the case at the trial level and marks a notable win for Blackbaud in a high-profile dispute arising from one of the most widely reported nonprofit-sector cyberattacks in recent years.

EU gives staff ‘burner phones, laptops’ for US visits

The European Commission is giving staffers visiting the US on official business burner laptops and phones to avoid espionage attempts, according to the Financial Times. The use of clean and locked-down hardware is common practice for anyone visiting China, Russia, and other states where aggressive electronic surveillance is expected. Apparently the European Union has added the United States to that list. “The transatlantic alliance is over,” an EU official told the newspaper, which reported the commission “is issuing burner phones and basic laptops to some US-bound staff to avoid the risk of espionage — a measure traditionally reserved for trips to China.”

The post InfoSec News Nuggets 4/15/2025 appeared first on AboutDFIR - The Definitive Compendium Project.

InfoSec News Nuggets 4/14/2025 14 Apr 2025, 10:30 am

Moroccan cybercrime group Atlas Lion hiding in plain sight during attacks on retailers

Researchers have discovered a novel tactic used by Moroccan cybercrime group Atlas Lion to attack big-box retailers, apparel companies, restaurants and more. The group was observed using stolen credentials to enroll its own virtual machines (VMs) into an organization’s cloud domain, according to researchers at cybersecurity firm Expel. The move essentially allows the group to act like its cybercrime infrastructure is a legitimate part of a company’s network. Atlas Lion specializes in breaching the systems of large retailers in order to fraudulently issue gift card codes to themselves, according to Microsoft.

US sensor giant Sensata admits ransomware derailed ops

US sensor maker Sensata has told regulators that a ransomware attack caused an operational disruption, and that it’s still working to fully restore affected systems. Sensata, which raked in $4 billion in revenue in 2023, said the ransomware attack took place on April 6 and has encrypted “certain devices” on its network. The biz offers sensors, “sensor-rich solutions,” and electrical protection kits used in mission-critical systems, and it boasts it ships “over a billion” devices a year [PDF]. The Attleboro, MA-headquartered company, whose products are used in a variety of contexts including electric vehicles, airplanes, renewable energy, and industrial equipment, actually mentioned the word “ransomware” in its Form 8-K. It’s a welcome rarity when it comes to cyber incident disclosures, although there is nothing on its website or social media pages highlighting the ongoing technical difficulties.

That groan you hear is users’ reaction to Recall going back into Windows

Security and privacy advocates are girding themselves for another uphill battle against Recall, the AI tool rolling out in Windows 11 that will screenshot, index, and store everything a user does every three seconds. When Recall was first introduced in May 2024, security practitioners roundly castigated it for creating a gold mine for malicious insiders, criminals, or nation-state spies if they managed to gain even brief administrative access to a Windows device. Privacy advocates warned that Recall was ripe for abuse in intimate partner violence settings. They also noted that there was nothing stopping Recall from preserving sensitive disappearing content sent through privacy-protecting messengers such as Signal.

This Company’s ‘AI’ Was Really Just Remote Human Workers Pushing Buttons

A tech CEO who claimed to have built a cutting-edge AI for e-commerce was actually having human workers doing the tasks behind the scenes, according to a federal indictment. Federal prosecutors in New York charged 35-year-old Albert Saniger with securities fraud for allegedly lying to investors about what his AI could do. In 2018, Saniger founded Nate, an e-commerce company that claimed it was developing an AI program that could complete online purchases for the user with a single tap. The AI was designed to handle things like adding the shipping address and billing information.  “Saniger repeatedly told investors and the public that the company’s app used proprietary AI technology to autonomously complete online purchases on behalf of users,” the Justice Department says. This included the claim that the AI could complete orders without human intervention at a 93% to 97% completion rate, according to the indictment. 

Florida’s New Social Media Bill Says the Quiet Part Out Loud and Demands an Encryption Backdoor

At least Florida’s SB 868/HB 743, “Social Media Use By Minors” bill isn’t beating around the bush when it states that it would require “social media platforms to provide a mechanism to decrypt end-to-end encryption when law enforcement obtains a subpoena.” Usually these sorts of sweeping mandates are hidden behind smoke and mirrors, but this time it’s out in the open: Florida wants a backdoor into any end-to-end encrypted social media platforms that allow accounts for minors. This would likely lead to companies not offering end-to-end encryption to minors at all, making them less safe online.

LLMs can’t stop making up software dependencies and sabotaging everything

The rise of LLM-powered code generation tools is reshaping how developers write software – and introducing new risks to the software supply chain in the process. These AI coding assistants, like large language models in general, have a habit of hallucinating. They suggest code that incorporates software packages that don’t exist. As we noted in March and September last year, security and academic researchers have found that AI code assistants invent package names. In a recent study, researchers found that about 5.2 percent of package suggestions from commercial models didn’t exist, compared to 21.7 percent from open source or openly available models.

The post InfoSec News Nuggets 4/14/2025 appeared first on AboutDFIR - The Definitive Compendium Project.

InfoSec News Nuggets 4/11/2025 11 Apr 2025, 12:06 pm

Palo Alto Networks Warns of Brute-Force Attempts Targeting PAN-OS GlobalProtect Gateways

Palo Alto Networks has revealed that it’s observing brute-force login attempts against PAN-OS GlobalProtect gateways, days after threat actors warned of a surge in suspicious login scanning activity targeting its appliances. “Our teams are observing evidence of activity consistent with password-related attacks, such as brute-force login attempts, which does not indicate exploitation of a vulnerability,” a spokesperson for the company told The Hacker News. “We continue to actively monitor this situation and analyze the reported activity to determine its potential impact and identify if mitigations are necessary.”

Cracking the Code on Cybersecurity ROI

Measuring most types of return on investment (ROI) is relatively straightforward: You compare the cost of what you spent to the value of what you gained in return. However, calculating cybersecurity ROI presents a big challenge: It’s not always clear how much value cybersecurity investments create because when the investments are effective, nothing happens — meaning no security breaches occur. And you can’t easily quantify the monetary value of nothing. But that doesn’t mean it’s impossible to measure cybersecurity ROI in a meaningful way. The numbers may always be a bit hazier than more concrete forms of ROI, but nonetheless businesses can — and should — attempt to determine how much monetary value their cybersecurity investments yield.

Ransomware Reaches A Record High, But Payouts Are Dwindling

Shed a tear, if you can, for the poor, misunderstood cybercriminals hard at work trying to earn a dishonest crust by infecting organisations with ransomware. Newly released research has revealed that the riches to be made from encrypting a company’s data and demanding a ransom are not proving so easy to come by as they once were. Because, although the number of ransomware attacks are reported to have reached record-breaking heights in the first months of 2025, gangs’ profits are thought to be plummeting. BlackFog’s “State of Ransomware” report, details over 100 publicly-disclosed attacks in March 2025 – an 81% increase from the year before – with an average ransom demand of US $663,582.

iOS devices face twice the phishing attacks of Android

2024 brought about countless new cybersecurity challenges including significant growth of the mobile threat landscape, according to Lookout. Threat actors, ranging from nation-states to individuals, are increasingly targeting mobile devices for the onset of their attacks to steal credentials and infiltrate the enterprise cloud in a pathway known as the modern kill chain. More than ever, organizations of every size across every industry must view mobile targeting as a canary in the coal mine – an early indication that they could be under attack elsewhere in their infrastructure.

Ransomware crims hammering UK more than ever as British techies complain the board just doesn’t get it

The UK government’s latest annual data breach survey shows the number of ransomware attacks on the isles is on the increase – and many techies are forced to constantly informally request company directors for defense spending because there’s no security people on the board. “[The board is] very involved, they don’t give full autonomy to us to do whatever we want. We need to have a constant dialogue of this is what we’re doing, this is why we’re doing it,” one IT and digital services manager told the survey, while an unnamed cyber architect commented: “Nothing gets approval without first going to them [the board] and saying, this is exactly what it will do, what it will mean, what it is, how the money will be spent.”

The post InfoSec News Nuggets 4/11/2025 appeared first on AboutDFIR - The Definitive Compendium Project.

InfoSec News Nuggets 4/10/2025 10 Apr 2025, 2:09 pm

OCC Notifies Congress of Incident Involving Email System

The Office of the Comptroller of the Currency (OCC) today notified Congress of a major information security incident, as required by the Federal Information Security Modernization Act. This finding is the result of internal and independent third-party reviews of OCC emails and email attachments that were subject to unauthorized access. On February 11, 2025, the OCC learned of unusual interactions between a system administrative account in its office automation environment and OCC user mailboxes. On February 12, the OCC confirmed the activity was unauthorized and immediately activated its incident response protocols which include initiating an independent third-party incident assessment and reporting the incident to the Cybersecurity and Infrastructure Security Agency. On February 12, the OCC disabled the compromised administrative accounts and confirmed that the unauthorized access had been terminated. The OCC provided public notice of the incident on February 26.

Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials

A targeted campaign exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances to extract EC2 Metadata, which could include Identity and Access Management (IAM) credentials from the IMDSv1 endpoint. Retrieving IAM credentials allows attackers to escalate their privileges and access S3 buckets or control other AWS services, potentially leading to sensitive data exposure, manipulation, and service disruption. The campaign was discovered by F5 Labs researchers, who reports that the malicious activity culminated between March 13 and 25, 2025. The traffic and behavioral patterns strongly suggest that it was carried out by a single threat actor.

SMS Pumping: How Criminals Turn Your Messaging Service into Their Cash Machine

Imagine waking up to an alarming spike in SMS costs-hundreds of thousands of messages sent overnight. There’s no surge in new customers, no viral marketing campaign. Just a bill draining your budget. The culprit? A hidden cybercrime tactic known as SMS pumping fraud. Much like a modern-day toll scam, fraudsters exploit SMS verification systems to inflate traffic, generating revenue while leaving businesses to foot the bill. This scheme has quietly siphoned millions from companies relying on SMS-based authentication, sign-ups, and notifications. But with the right strategies, businesses can detect and prevent SMS pumping.

Over 40% of UK Businesses Faced Cybersecurity Breaches in 2024

A total of 43% of UK businesses and 30% of charities experienced a cyber breach or attack in the past year, according to the newly published Cyber Security Breaches Survey 2025. The report, published today, was commissioned by the UK Department for Science, Innovation and Technology (DSIT) and the Home Office. While breach statistics mark a slight decline from 2024, they continue to reflect the significant cybersecurity challenges facing UK organizations.

Why security stacks need to think like an attacker, and score every user in real time

More than 40% of corporate fraud is now AI-driven, designed to mimic real users, bypass traditional defenses and scale at speeds that overwhelm even the best-equipped SOCs. In 2024, nearly 90% of enterprises were targeted, and half of them lost $10 million or more. Bots emulate human behavior and create entire emulation frameworks, synthetic identities, and behavioral spoofing to pull off account takeovers at scale while slipping past legacy firewalls, EDR tools, and siloed fraud detection systems.

The post InfoSec News Nuggets 4/10/2025 appeared first on AboutDFIR - The Definitive Compendium Project.

InfoSec News Nuggets 4/9/2025 9 Apr 2025, 3:43 pm

Malicious VSCode extensions infect Windows with cryptominers 

A set of ten VSCode extensions on Microsoft’s Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer for Monero. Microsoft VSCode is a popular code editor that allows users to install extensions to extend the program’s functionality. These extensions can be downloaded from Microsoft’s VSCode Marketplace, an online hub for developers to find and install add-ons. ExtensionTotal researcher Yuval Ronen has uncovered ten VSCode extensions published on Microsoft’s portal on April 4, 2025. 

Maryland pharmacist used keyloggers to spy on coworkers for a decade, victim alleges 

A Maryland pharmacist installed spyware on hundreds of computers at a major teaching hospital and recorded videos over the course of a decade of staff pumping breastmilk and breastfeeding, a class-action lawsuit alleges. The suit, filed on March 27 and first reported by the Baltimore Banner, accuses pharmacist Matthew Bathula of implanting keyloggers — a type of software that records what someone types on a keyboard — on about 400 computers at the University of Maryland Medical Center (UMMC).  

Musk’s DOGE using AI to snoop on U.S. federal workers, sources say 

Trump administration officials have told some U.S. government employees that Elon Musk’s DOGE team of technologists is using artificial intelligence to surveil at least one federal agency’s communications for hostility to President Donald Trump and his agenda, said two people with knowledge of the matter. While much of Musk’s Department of Government Efficiency remains shrouded in secrecy, the surveillance would mark an extraordinary use of technology to identify expressions of perceived disloyalty in a workforce already upended by widespread firings and severe cost cutting. 

Food giant WK Kellogg discloses data breach linked to Clop ransomware 

US food giant WK Kellogg Co is warning employees and vendors that company data was stolen during the 2024 Cleo data theft attacks. Cleo software is a managed file transfer utility that was targeted by the Clop ransomware gang en masse at the end of last year. This attack leveraged two zero-day flaws tracked as CVE-2024-50623 and CVE-2024-55956, allowing the threat actors to breach servers and steal data. “WK Kellogg learned on February 27, 2025, that a security incident may have occurred involving Cleo,” reads the notice. 

Lovable AI Found Most Vulnerable to VibeScamming — Enabling Anyone to Build Live Scam Pages 

Lovable, a generative artificial intelligence (AI) powered platform that allows for creating full-stack web applications using text-based prompts, has been found to be the most susceptible to jailbreak attacks, allowing novice and aspiring cybercrooks to set up lookalike credential harvesting pages. “As a purpose-built tool for creating and deploying web apps, its capabilities line up perfectly with every scammer’s wishlist,” Guardio Labs’ Nati Tal said in a report shared with The Hacker News. “From pixel-perfect scam pages to live hosting, evasion techniques, and even admin dashboards to track stolen data — Lovable didn’t just participate, it performed. No guardrails, no hesitation.” 

The post InfoSec News Nuggets 4/9/2025 appeared first on AboutDFIR - The Definitive Compendium Project.

InfoSec News Nuggets 4/8/2025 8 Apr 2025, 10:53 am

Autonomous, GenAI-Driven Attacker Platform Enters the Chat

Researchers are sounding the alarm on an emerging all-in-one, AI-driven hacking tool that provides attackers with a modular architecture for developing and launching a range of cybercriminal operations, such as phishing campaigns, vulnerability exploitation, or even ransomware attacks. “Xanthorox AI,” a cyberattack platform first spotted in March circulating on darknet hacker forums and encrypted channels, enables a style of self-directed, autonomous AI-driven attacks that defenders feared may eventually appear when generative AI (GenAI) technology first became mainstream, according to research from SlashNext published on April 7.

Boards Urged to Follow New Cyber Code of Practice

A new government initiative launched today aims to improve cyber-resilience across UK organizations by providing new guidance for boards. The Cyber Governance Code of Practice describes the actions company directors and board members need to take to ensure cyber-risk is managed effectively. The government argued that improving oversight at this level is vital to growing the economy, given that 74% of large and 70% of medium-sized firms experienced attacks and breaches in the past year. It claimed that such incidents cost the national economy almost £22bn a year between 2015 and 2019.

Threat Actors Setting Up Persistent Access to Hosts Hacked in CrushFTP Attacks

Cybersecurity firm Huntress has shared details on the post-exploitation activities seen in the attacks leveraging the recently disclosed CrushFTP vulnerability. The vulnerability, discovered by researchers at security firm Outpost24, is tracked as CVE-2025-31161 and it allows an attacker to bypass authentication and gain access to a system. Its disclosure has been shrouded in controversy, with developers of the enterprise file transfer solution blaming security firms for the quick in-the-wild exploitation of the flaw. Huntress has been seeing attacks exploiting the CrushFTP vulnerability since March 30. Initially, threat actors appeared to be testing access, but the security firm later started observing post-exploitation activity aimed at setting up persistent access to targeted hosts.

Inside the Russian-Speaking Underground: The Frontline of Global Cybercrime

Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, today launched a new research paper, delivering a unique and comprehensive look into the Russian-speaking cyber underground, an ecosystem that has shaped global cybercrime over the past decade. Set against the backdrop of a rapidly evolving cyber threat landscape, the research paper explores major trends reshaping the underground economy: the long-term impacts of the pandemic, the fallout of mass breaches and double extortion ransomware, the explosion of accessible AI and Web3 technologies, and the widespread exposure of biometric data. As both cyber criminals and defenders grow more sophisticated, new tools, tactics, and business models are driving unprecedented levels of specialization within underground communities.

WhatsApp Tests Advanced Privacy Feature for Blocking Chat Exports

WhatsApp is testing a new option that lets you control whether other chat members can export your chats with them or automatically save media you send them, according to WaBetaInfo. Referred to as “advanced chat privacy,” the new option has a toggle in a recent WhatsApp beta for iOS. By turning it on, you can prevent individual users or people in a group chat from exporting the entire chat history outside of WhatsApp.

The post InfoSec News Nuggets 4/8/2025 appeared first on AboutDFIR - The Definitive Compendium Project.

InfoSec News Nuggets 4/7/2025 7 Apr 2025, 11:22 am

CISA braces for deep staffing cuts

The Cybersecurity and Infrastructure Security Agency is looking to push out as much as a third of the agency’s total headcount, in addition to contract personnel from a major threat hunting team, according to three sources familiar with the matter. The cuts are likely to impact “every single part of the agency,” one of those sources told Axios — dealing a huge blow to the country’s cybersecurity posture following earlier rounds of layoffs and contract cuts. CISA is expected to start reducing its workforce through a second “Fork in the Road” email, two sources told Axios.

Hackers strike Australia’s largest pension funds in coordinated attacks

Hackers targeting Australia’s major pension funds in a series of coordinated attacks have stolen savings from some members at the biggest fund, according to a source with knowledge of the matter, and compromised more than 20,000 accounts. National Cyber Security Coordinator Michelle McGuinness said in a statement she was aware of “cyber criminals” targeting accounts in the country’s A$4.2 trillion ($2.63 trillion) retirement savings sector and was organising a response across the government, regulators and industry. The Association of Superannuation Funds of Australia, the industry body, said “a number” of funds were impacted over the weekend. While the full scale of the incident remains unclear, AustralianSuper, Australian Retirement Trust, Rest, Insignia and Hostplus on Friday all confirmed they suffered breaches.

T-Mobile’s data breach settlements are rolling out now – here’s how to see if you qualify

If you’re a T-Mobile customer — or were back in 2021 — you might have a check showing up in your mailbox soon. In 2021, the mobile carrier suffered a massive data breach that affected around 76 million customers (this isn’t related to the 2023 breach that affected 37 million people). T-Mobile denied any wrongdoing but agreed to settle a lawsuit about the breach out of court.  Four years later, affected customers are getting compensation. 

Port of Seattle Says 90,000 People Impacted by Ransomware Attack

The Port of Seattle is notifying 90,000 individuals that their personal information was compromised in an August 2024 data breach resulting from a ransomware attack. The incident occurred on August 24 and forced the Port to isolate critical systems, which impacted the Seattle-Tacoma International Airport (SEA Airport), Fishermen’s Terminal, and public marinas it operates. In mid-September, the Port confirmed that ransomware was used in the attack, blaming the Rhysida group for the intrusion and announcing that it refused to pay a ransom. The threat actor was demanding a $6 million ransom to be paid.

High-Severity Cloud Security Alerts Tripled in 2024

The rate of severe cloud security incidents affecting customers of Palo Alto Networks rose more than threefold over the course of 2024. By comparing the beginning and end of 2024, Palo Alto tracked a 388% increase in cloud security alerts affecting organizations. The overwhelming majority of that rise can be attributed to neither threats of a low severity (up 10% through the year) nor even medium-severity (up 21%), but high-severity incidents, which rose by a full 235%.

EDR-as-a-Service makes the headlines in the cybercrime landscape

According to a detailed analysis conducted by Meridian Group, an increasingly complex and structured phenomenon, commonly referred to as “EDR-as-a-Service,” is taking hold in the cybersecurity landscape. In a nutshell, some criminal groups are exploiting compromised accounts belonging to law enforcement and other government agencies to illicitly forward Emergency Data Requests (EDRs) to major online platforms. These falsely obtained credentials enable cyber criminals to successfully mimic a real-world investigation by inducing platform operators to provide extremely sensitive information.

The post InfoSec News Nuggets 4/7/2025 appeared first on AboutDFIR - The Definitive Compendium Project.

InfoSec News Nuggets 4/4/2025 4 Apr 2025, 2:06 pm

Oracle privately confirms Cloud breach to customers

Oracle has finally acknowledged to some customers that attackers have stolen old client credentials after breaching a “legacy environment” last used in 2017, Bloomberg reported. However, while Oracle told clients this is old legacy data that is not sensitive, the threat actor behind the attack has shared data with BleepingComputer from the end of 2024 and posted newer records from 2025 on a hacking forum. According to Bloomberg, the company also informed clients that cybersecurity firm CrowdStrike and the FBI are investigating the incident.

Verizon Call Filter API flaw exposed customers’ incoming call history

A vulnerability in Verizon’s Call Filter feature allowed customers to access the incoming call logs for another Verizon Wireless number through an unsecured API request. The flaw was discovered by security researcher Evan Connelly on February 22, 2025, and was fixed by Verizon sometime in the following month. However, the total period of exposure is unknown. Verizon’s Call Filter app is a free utility that offers users spam detection and automatic call blocking. A paid version (Plus) adds a spam lookup and risk meter, the ability to apply blocks by type of caller, and receive caller ID on unknown numbers.

Suspected Chinese spies right now hijacking buggy Ivanti gear – for third time in 3 years

Suspected Chinese government spies have been exploiting a newly disclosed critical bug in Ivanti VPN appliances since mid-March. This is now at least the third time in three years these snoops have been pwning these products. Plus, post-exploit, the Beijing-backed crew deployed on compromised Ivanti equipment two new malware strains along with variants of the Spawn software nasty, we’re told. Ivanti today detailed the under-attack 9.0-out-of-10-severity vulnerability, tracked as CVE-2025-22457, and said it affects Ivanti Connect Secure (version 22.7R2.5 and earlier), Pulse Connect Secure 9.x (end-of-support as of December 31), Ivanti Policy Secure, and ZTA gateways.

Malicious Python packages target popular Bitcoin library

When it comes to the frequency and sophistication of software supply chain attacks, few industries can compare with cryptocurrency. As ReversingLabs’ 2025 Software Supply Chain Security Report notes, 2024 saw close to two dozen sustained supply chain campaigns designed to compromise cryptocurrency applications, cryptocurrency owners’ wallets, and cryptocurrency trading platforms. The trend continues in 2025. A string of malicious software supply chain campaigns has targeted developers working on crypto-related applications. The latest popped onto the RL research team’s radar last week when automated machine-learning (ML) detection features in RL’s Spectra platform identified two malicious Python packages, posted to the Python Package Index (PyPI), containing code designed to exfiltrate sensitive database files. 

State Bar of Texas Says Personal Information Stolen in Ransomware Attack

The State Bar of Texas this week started sending notification letters to thousands of individuals to notify them of a data breach resulting from a February ransomware attack. On February 12, the state bar association wrote in the notification letters, suspicious activity on its network prompted it to initiate response procedures and launch an investigation. The association determined that a threat actor had access to its network between January 28 and February 9, and it stole certain files, including ones containing personal information. The compromised information, the State Bar of Texas says, varies by individuals, and the copies of the notification letter that were submitted to Attorney General Offices have been redacted in this regard.

SpotBugs Access Token Theft Identified as Root Cause of GitHub Supply Chain Attack

The cascading supply chain attack that initially targeted Coinbase before becoming more widespread to single out users of the “tj-actions/changed-files” GitHub Action has been traced further back to the theft of a personal access token (PAT) related to SpotBugs. “The attackers obtained initial access by taking advantage of the GitHub Actions workflow of SpotBugs, a popular open-source tool for static analysis of bugs in code,” Palo Alto Networks Unit 42 said in an update this week. “This enabled the attackers to move laterally between SpotBugs repositories, until obtaining access to reviewdog.” There is evidence to suggest that the malicious activity began as far back as November, 2024, although the attack against Coinbase did not take place until March 2025.

The post InfoSec News Nuggets 4/4/2025 appeared first on AboutDFIR - The Definitive Compendium Project.

InfoSec News Nuggets 4/3/2025 3 Apr 2025, 11:05 am

Toll Scams Are What’s Happen.xin Right Now

Have you ever received an odd text message on your phone, purporting to be from a toll provider or package delivery service? If you have a U.S. cell phone, chances are you’ve encountered one of these SMiShing attempts—cybercriminals’ latest ploy to trick you into giving up your personal and financial details. SMiShing (a portmanteau of SMS and phishing) relies on victims clicking deceptive links that appear legitimate but actually lead to malicious websites.

Want AI to work for your business? Then privacy needs to come first

Cisco has released a “2025 Data Privacy Benchmark Study” that looks at the privacy challenges companies face with the rise of artificial intelligence. It offers practical insights for businesses that want to integrate AI while keeping privacy front and center. The study gathered opinions from 2,600 privacy and security professionals across 12 countries. A key finding is that most companies (86%) support privacy laws, citing a “positive” impact on their business operations. Although compliance can be costly, 96% of organizations reported that the benefits significantly outweigh the investment.

Oracle admits second major security breach, user login data stolen

Oracle has apparently suffered its second cyberattack in a month, but the company is downplaying its importance. A Bloomberg report citing two people familiar with the matter has claimed Oracle told some of its customers a threat actor compromised its IT infrastructure and stole client login credentials. At the same time, Reuters is reporting that an unidentified threat actor tried to sell the stolen data on the dark web, claiming to have stolen it from Oracle’s Austin, Texas premises.

Heterogeneous stacks, ransomware, and ITaaS: A DR nightmare

Disaster recovery is getting tougher as IT estates sprawl across on-prem gear, public cloud, SaaS, and third-party ITaaS providers. And it’s not floods or fires causing most outages anymore – ransomware now leads the pack, taking down systems faster than any natural disaster. This makes one thing clearer: The more homogeneous and standardized your IT environment, the easier it is to recover from disasters – whatever their cause.

39 Million Secrets Leaked on GitHub in 2024

Keeping secrets protected on GitHub is now easier, courtesy of new capabilities that the Microsoft-owned code hosting platform announced on Wednesday. With GitHub discovering roughly 39 million leaked secrets across the platform in 2024, it’s clear that inadvertently exposing secrets in code happens rather often, and threat actors are known to harvest and exploit them within minutes. To help organizations and developers better protect tokens, credentials, and other secrets and prevent their exposure, GitHub is now offering Secret Protection and Code Security as standalone products for enterprise customers.

Details Emerge on CVE Controversy Around Exploited CrushFTP Vulnerability

More details have emerged on the story of the CVE controversy around a CrushFTP vulnerability that threat actors started exploiting just days after its existence came to light. On March 21, the developers of the CrushFTP enterprise file transfer solution informed customers that versions 10 and 11 are affected by a critical vulnerability that exposes systems to remote hacking. An attacker can leverage the flaw to bypass authentication and gain admin access to impacted CrushFTP instances.

The post InfoSec News Nuggets 4/3/2025 appeared first on AboutDFIR - The Definitive Compendium Project.

InfoSec News Nuggets 4/1/2025 2 Apr 2025, 8:08 pm

Password managers are under threat in 2025. What the LastPass breach taught us

Back in August 2022, password manager LastPass suffered a massive breach. A still-unknown cyber criminal successfully targeted one of LastPass’ four DevOps engineers who had access to the decryption keys for the cloud storage service. Using the engineer’s stolen credentials, the hacker was able to infiltrate LastPass’ systems undetected. This breach lasted for months and continued even after LastPass believed the threat had been contained.

Phishing platform ‘Lucid’ behind wave of iOS, Android SMS attacks

A phishing-as-a-service (PhaaS) platform named ‘Lucid’ has been targeting 169 entities in 88 countries using well-crafted messages sent on iMessage (iOS) and RCS (Android). Lucid, which has been operated by Chinese cybercriminals known as the ‘XinXin group’ since mid-2023, is sold to other threat actors via a subscription-based model that gives them access to over 1,000 phishing domains, tailored auto-generated phishing sites, and pro-grade spamming tools. Prodaft researchers note that XinXin has also been using the Darcula v3 platform for its operations, which indicates a potential connection between the two PhaaS platforms.

Top cybersecurity boffin, wife vanish as FBI raids homes

A tenured computer security professor at Indiana University and his university-employed wife have not been seen publicly since federal agents raided their homes late last week. On Friday, the FBI with help from the cops searched two properties in Bloomington and Carmel, Indiana, belonging to Xiaofeng Wang, a professor at the Indiana Luddy School of Informatics, Computing, and Engineering – who’s been with the American university for more than 20 years – and Nianli Ma, a lead library systems analyst and programmer also at the university.

Crimelords at Hunters International tell lackeys ransomware too ‘risky’

Big-game ransomware crew Hunters International says its criminal undertaking has become “unpromising, low-converting, and extremely risky,” and it is mulling shifting tactics amid an apparent rebrand. This is according to researchers at Group-IB, who believe a spinoff – which will focus on extortion involving purely the theft of data – is under formation by the gang’s senior personnel. They think, however, the old group is still currently operating. Victims of Hunters International include Tata Technologies, a plastic surgeon with an office in Beverly Hills, and Industrial and Commercial Bank of China’s London HQ.

Hackers Exploit Microsoft Teams in Multi-Stage AI Cyberattack

Cybercriminals are getting smarter, and their latest attack leverages Microsoft Teams and remote access tools to infiltrate enterprise networks. Discovered by Ontinue researchers, this multi-stage cyberattack uses social engineering and stealthy techniques to bypass security defenses, making it a serious threat to organizations worldwide. According to a new report from the Ontinue Cyber Defence Centre, this sophisticated multi-stage cyberattack starts with a Microsoft Teams message delivering a malicious PowerShell payload. The attacker then gains initial access using Microsoft Quick Assist before deploying a signed TeamViewer binary along with a malicious DLL named “TV.dll.” These signed binaries help the hacker bypass endpoint detection and response (EDR) solutions, making the attack even harder to detect.

The post InfoSec News Nuggets 4/1/2025 appeared first on AboutDFIR - The Definitive Compendium Project.