"Securitiy Affairs Malware Newsletter, Round 45."

Views expressed in this cybersecurity, cyber crime update are those of the reporters and correspondents.  Accessed on 11 May 2025, 2221 UTC.

Content and Source:  Email subscription via https://feedly.com.

 https://feedly.com/i/subscription/feed%2Fhttp%3A%2F%2Fsecurityaffairs.co%2Fwordpress%2Ffeed

Please check email link or scroll down to read your selections.  Thanks for joining us today.

Russ Roberts (https://www.hawaiicybersecurityjournal.net).

Security Affairs

72K followers26 articles per week

#security#tech

39

Today

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 45

by Pierluigi Paganini / 3h

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape iClicker site hack targeted students with malware via fake CAPTCHA New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms Backdoor found in popular ecommerce components Stealthy Linux backdoor leveraging residential proxies and NHAS reverse SSH

Security Affairs newsletter Round 523 by Pierluigi Paganini – INTERNATIONAL EDITION

by Pierluigi Paganini / 3h

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Ascension reveals personal data of 437,329 patients exposed in cyberattack Operation Moonlander dismantled the botnet behind Anyproxy and 5socks cybercrim

Google will pay Texas $1.4 billion over its location tracking practices

Google settles Texas privacy lawsuits

•

by Pierluigi Paganini / 5h

Google will pay the U.S. state of Texas $1.4B to settle lawsuits over unauthorized location tracking and facial recognition data retention. Google will pay nearly $1.4 billion to the state of Texas to settle two lawsuits over tracking users’ locations and storing biometric data without consent. The $1.375 billion settlement far exceeds previous fines over its location tracking practices: $391 mil

Yesterday

Ascension reveals personal data of 437,329 patients exposed in cyberattack

Impact (Enterprise TA0040)

•

by Pierluigi Paganini / 1d

•

Ascension data breach affects 430000 patients

A data breach at Ascension, caused by a former partner’s compromise, exposed the health information of over 430,000 patients. Ascension is one of the largest private healthcare systems in the United States, ranking second in the United States by the number of hospitals as of 2019. At the end of April, the company notified patients that their personal and health information had been compromised in

Operation Moonlander dismantled the botnet behind Anyproxy and 5socks cybercriminals services

8 TTPs

•

by Pierluigi Paganini / 1d

•

FBI and Dutch police shut down botnet

Law enforcement dismantled a 20-year botnet behind Anyproxy and 5socks cybercriminals services and arrested four suspects. Authorities dismantled a 20-year-old botnet tied to Anyproxy and 5socks as part of an international operation codenamed “Operation Moonlander”; four men, including three Russians, were indicted for running the illegal proxy networks. The U.S. Justice Department charged Russia

May 9, 2025

A cyber attack briefly disrupted South African Airways operations

3 TTPs

•

by Pierluigi Paganini / 2d

•

SAA experiences major cyberattack disruption

A cyberattack briefly disrupted South African Airways’ website, app, and systems, but core flight operations remained unaffected. South African Airways (SAA) is the national flag carrier of South Africa, the airline is wholly owned by the South African government and has subsidiaries including SAA Technical and Air Chefs. A cyberattack hit South African Airways, briefly disrupting its website, ap

Cybercriminal services target end-of-life routers, FBI warns

by Pierluigi Paganini / 2d

The FBI warns that attackers are using end-of-life routers to deploy malware and turn them into proxies sold on 5Socks and Anyproxy networks. The FBI released a FLASH alert warning about 5Socks and Anyproxy malicious services targeting end-of-life (EOL) routers. Attackers target EoL devices to deploy malware by exploiting vulnerabilities and create botnets for attacks or proxy services. The alert

May 8, 2025

Russia-linked ColdRiver used LostKeys malware in recent attacks

COLDRIVER uses LOSTKEYS malware

•

by Pierluigi Paganini / 2d

Since early 2025, Russia-linked ColdRiver has used LostKeys malware to steal files in espionage attacks on Western governments and organizations. Google’s Threat Intelligence Group discovered LOSTKEYS, a new malware used by Russia-linked APT COLDRIVER , in recent attacks to steal files and gather system info. The ColdRiver APT (aka “ Seaborgium “, “Callisto”, “Star Blizzard”, “TA446”) is a Russia

SonicWall fixed SMA 100 flaws that could be chained to execute arbitrary code

by Pierluigi Paganini / 2d

SonicWall addressed three SMA 100 flaws, including a potential zero-day, that could allow remote code execution if chained. SonicWall patches three SMA 100 vulnerabilities (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821), including a potential zero-day, that could be chained by a remote attacker to execute arbitrary code. The first flaw, tracked as CVE-2025-32819 (CVSS score of 8.8), is a Pos

The LockBit ransomware site was breached, database dump was leaked online

LockBit ransomware gang hacked database exposed

•

by Pierluigi Paganini / 3d

Lockbit ransomware group has been compromised, attackers stole and leaked data contained in the backend infrastructure of their dark web site. Hackers compromised the dark web leak site of the LockBit ransomware gang and defaced it, posting a message and a link to the dump of the MySQL database of its backend affiliate panel. “Don’t do crime CRIME IS BAD xoxo from Prague,” reads the message publi

Cisco fixed a critical flaw in its IOS XE Wireless Controller

CVE-2025-20188 & 16 others

•

by Pierluigi Paganini / 3d

Cisco addressed a flaw in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files. Cisco released software updates to address a vulnerability, tracked as CVE-2025-20188 (CVSS score 10), in IOS XE Wireless Controller. An unauthenticated, remote attacker can exploit the flaw to load arbitrary files to a vulnerable system. An attacker can exploi

May 7, 2025

U.S. CISA adds GoVision device flaws to its Known Exploited Vulnerabilities catalog

6 TTPs

•

by Pierluigi Paganini / 3d

•

CVE-2024-11120

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds GoVision device flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Qualitia Active! Mail, Broadcom Brocade Fabric OS, and Commvault Web Server flaws to its Known Exploited Vulnerabilities (KEV) catalog . Below are the descriptions for these flaws: CVE-2024-60

Polish authorities arrested 4 people behind DDoS-for-hire platforms

Police arrest DDoS-for-hire suspects

•

by Pierluigi Paganini / 3d

Polish police arrested 4 people behind DDoS-for-hire platforms used in global attacks, offering takedowns for as little as €10 via six stresser services. Polish authorities arrested 4 people linked to 6 DDoS-for-hire platforms, Cfxapi, Cfxsecurity, neostress, jetstress, quickdown, and zapcut, used to launch attacks worldwide for as little as €10. The platforms were used to carry out thousands of

Play ransomware affiliate leveraged zero-day to deploy malware

11 TTPs

•

by Pierluigi Paganini / 4d

The Play ransomware gang exploited a high-severity Windows Common Log File System flaw in zero-day attacks to deploy malware. The Play ransomware gang has exploited a Windows Common Log File System flaw, tracked as CVE-2025-29824 , in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems. The vulnerability CVE-2025-29824 , (CVSS score of 7.8) is a Use after free in

Canary Exploit tool allows to find servers affected by Apache Parquet flaw

6 TTPs

•

by Pierluigi Paganini / 4d

F5 Labs researchers released a PoC tool to find servers vulnerable to the Apache Parquet vulnerability CVE-2025-30065. A working proof-of-concept exploit for the critical Apache Parquet vulnerability CVE-2025-30065 has been released by F5 Labs, allowing the identification of vulnerable servers. The tool, called “canary exploit,” is available on the security firm’s GitHub repository . Apache Parqu

Unsophisticated cyber actors are targeting the U.S. Energy sector

Impact (Enterprise TA0040)

•

by Pierluigi Paganini / 4d

CISA, FBI, EPA, and DoE warn of cyberattacks on the U.S. Energy sector carried out by unsophisticated cyber actors targeting ICS/SCADA systems. The US cybersecurity agency CISA, the FBI, EPA, and the DoE issued a joint alert to warn of cyberattacks targeting US-based organizations in the oil and natural gas sector. Unsophisticated threat actors are targeting ICS/SCADA systems in U.S. energy and t

May 6, 2025

NSO Group must pay WhatsApp over $167M in damages for attacks on its users

2 TTPs

•

by Pierluigi Paganini / 4d

NSO Group must pay WhatsApp over $167M in damages for a 2019 hack targeting 1,400+ users, per U.S. jury ruling after a five-year legal battle. A U.S. jury ordered NSO Group to pay WhatsApp over $167M for using Pegasus spyware to target over 1,400 people, violating U.S. laws. After a five-year legal battle, a jury ordered NSO Group to pay over $167 million in punitive and over $444,000 in compensa

U.S. CISA adds FreeType flaw to its Known Exploited Vulnerabilities catalog

by Pierluigi Paganini / 4d

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds FreeType flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a FreeType flaw, tracked as CVE-2025-27363 (CVSS score of 8.1), to its Known Exploited Vulnerabilities (KEV) catalog . In mid-March, Meta warned that the out-of-bounds write vulnerability CVE-2025-273

Samsung MagicINFO flaw exploited days after PoC exploit publication

CVE-2024-7399

•

by Pierluigi Paganini / 5d

Threat actors started exploiting a vulnerability in Samsung MagicINFO only days after a PoC exploit was published. Arctic Wolf researchers observed threat actors beginning to exploit a high-severity vulnerability, tracked as CVE-2024-7399 (CVSS score: 8.8), in the Samsung MagicINFO content management system (CMS) just days after proof-of-concept (PoC) exploit code was publicly released. The vulne

Experts warn of a second wave of attacks targeting SAP NetWeaver bug CVE-2025-31324

11 TTPs

•

by Pierluigi Paganini / 5d

•

CVE-2025-31324

Threat actors launch second wave of attacks on SAP NetWeaver, exploiting webshells from a recent zero-day vulnerability. In April, ReliaQuest researchers warned that a zero-day vulnerability, tracked as CVE-2025-31324 (CVSS score of 10/10), in SAP NetWeaver is potentially being exploited. Thousands of internet-facing applications are potentially at risk. The flaw in SAP NetWeaver Visual Composer

U.S. CISA adds Langflow flaw to its Known Exploited Vulnerabilities catalog

4 TTPs

•

by Pierluigi Paganini / 5d

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Langflow flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Langflow flaw, tracked as CVE-2025-3248 (CVSS score of 9.8), to its Known Exploited Vulnerabilities (KEV) catalog . Langflow is a popular tool used for building agentic AI workflows. CVE-2025-3248 i

Google fixed actively exploited Android flaw CVE-2025-27363

by Pierluigi Paganini / 5d

Google addressed 46 Android security vulnerabilities, including one issue that has been exploited in attacks in the wild. Google’s monthly security updates for Android addressed 46 flaws, including a high-severity vulnerability, tracked as CVE-2025-27363 (CVSS score of 8.1), that has been exploited in the wild. The company did not disclose any details regarding the attacks or the threat actors ex

May 5, 2025

New ‘Bring Your Own Installer (BYOI)’ technique allows to bypass EDR

5 TTPs

•

by Pierluigi Paganini / 5d

•

BYOI bypasses SentinelOne EDR

A new BYOI technique lets attackers bypass SentinelOne EDR, disable protection, and deploy Babuk ransomware by exploiting the agent upgrade process. Aon’s Stroz Friedberg discovered a new “Bring Your Own Installer” (BYOI) EDR bypass technique that exploits a flaw in SentinelOne’s upgrade process to bypass its anti-tamper protections, leaving endpoints unprotected. Stroz Friedberg researchers did

Smishing on a Massive Scale: ‘Panda Shop’ Chinese Carding Syndicate

2 TTPs

•

by Pierluigi Paganini / 5d

Resecurity found a new smishing kit called ‘Panda Shop,’ mimicking Smishing Triad tactics with improved features and new templates. Resecurity (USA) was the first company to identify the Smishing Triad , a group of Chinese cybercriminals targeting consumers across the globe. In August 2023, our team was able to identify their activity and locate the smishing kit they were using, successfully expl

Kelly Benefits December data breach impacted over 400,000 individuals

Kelly Benefits data breach affects 400000

•

by Pierluigi Paganini / 6d

Kelly Benefits has determined that the impact of the recently disclosed data breach is much bigger than initially believed. Benefits and payroll solutions firm Kelly & Associates Insurance Group, aka Kelly Benefits, announced that the impact of a recently disclosed data breach is much bigger than initially estimated. The U.S.-based company provides benefits, payroll, and workforce management solu

A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov

Collection (Enterprise TA0009)

•

38by Pierluigi Paganini / 6d

A hacker stole data from TeleMessage, exposing messages from its modified Signal, WhatsApp, and other apps sold to the U.S. government. A hacker stole customer data from TeleMessage, an Israeli firm selling modified versions of popular messaging apps, such as Signal and WhatsApp, to the U.S. government. “The data stolen by the hacker contains the contents of some direct messages and group chats s

Experts shared up-to-date C2 domains and other artifacts related to recent MintsLoader attacks

24 TTPs

•

by Pierluigi Paganini / 6d

•

MintsLoader malware used in attacks

MintsLoader is a malware loader delivering the GhostWeaver RAT via a multi-stage chain using obfuscated JavaScript and PowerShell. Recorded Future researchers observed MintsLoader