"Threat actors use fake AI to deliver the information stealer Noodlophile."

Views expressed in this cybersecurity, cyber crime update are those of the reporters and correspondents.  Accessed on 15 May 2025, 1417 UTC.

Content and Source:  "Security Affairs"

Email subscription via https://feedly.com.

 https://feedly.com/i/subscription/feed%2Fhttp%3A%2F%2Fsecurityaffairs.co%2Fwordpress%2Ffeed

Please check email link or scroll down to read your selections.  Thanks for joining us today.

Russ Roberts (https://www.hawaiicybersecurityjournal.net).

Security Affairs

72K followers27 articles per week

#security#tech

54

Most popular

Threat actors use fake AI tools to deliver the information stealer Noodlophile

IoC > 1 domain

•

by Pierluigi Paganini / 3d

Threat actors use fake AI tools to trick users into installing the information stealer Noodlophile, Morphisec researchers warn. Morphisec researchers observed attackers exploiting AI hype to spread malware via fake AI tools promoted in viral posts and Facebook groups. Users seeking free AI video tools unknowingly download Noodlophile Stealer, a new malware that steals browser credentials, crypto

A cyber attack briefly disrupted South African Airways operations

3 TTPs

•

by Pierluigi Paganini / 5d

•

SAA experiences major cyberattack disruption

A cyberattack briefly disrupted South African Airways’ website, app, and systems, but core flight operations remained unaffected. South African Airways (SAA) is the national flag carrier of South Africa, the airline is wholly owned by the South African government and has subsidiaries including SAA Technical and Air Chefs. A cyberattack hit South African Airways, briefly disrupting its website, ap

Ascension reveals personal data of 437,329 patients exposed in cyberattack

Impact (Enterprise TA0040)

•

by Pierluigi Paganini / 4d

•

Ascension data breach affects 430000 patients

A data breach at Ascension, caused by a former partner’s compromise, exposed the health information of over 430,000 patients. Ascension is one of the largest private healthcare systems in the United States, ranking second in the United States by the number of hospitals as of 2019. At the end of April, the company notified patients that their personal and health information had been compromised in

Yesterday

U.S. CISA adds a Fortinet flaw to its Known Exploited Vulnerabilities catalog

by Pierluigi Paganini / 4h

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Fortinet vulnerability to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability, tracked as CVE-2025-32756 , to its Known Exploited Vulnerabilities (KEV) catalog . This week, Fortinet released securit

Kosovo authorities extradited admin of the cybercrime marketplace BlackDB.cc

Kosovo man extradited for cybercrime

•

by Pierluigi Paganini / 5h

Kosovar citizen extradited to the US for running the cybercrime marketplace BlackDB.cc appeared in federal court facing related charges. Kosovo citizen Liridon Masurica (33) of Gjilan, was extradited to the US for running the cybercrime marketplace BlackDB.cc and appeared in federal court facing related charges. The online criminal marketplace BlackDB.cc has been active sunce 2018, the platform o

U.S. CISA adds Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog

8 TTPs

•

by Pierluigi Paganini / 17h

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Microsoft Windows flaws to its Known Exploited Vulnerabilities (KEV) catalog . Below are the descriptions for these flaws: CVE-2025-30397 (CVSS score: 7.5) – Scripting Engine Memory Corrupti

Ivanti fixed two EPMM flaws exploited in limited attacks

2 TTPs

•

by Pierluigi Paganini / 19h

Ivanti addressed two Endpoint Manager Mobile (EPMM) software vulnerabilities that have been exploited in limited attacks. Ivanti has released security updates to address two vulnerabilities in Endpoint Manager Mobile (EPMM) software. The company confirmed that threat actors have chained the flaws in limited attacks to gain remote code execution. The two vulnerabilities are tracked as CVE-2025-442

Microsoft Patch Tuesday security updates for May 2025 fixed 5 actively exploited zero-days

8 TTPs

•

by Pierluigi Paganini / 1d

•

PatchTuesday

Microsoft Patch Tuesday security updates for May 2025 addressed 75 security flaws across multiple products, including five zero-day flaws. Microsoft Patch Tuesday security updates addressed 75 security vulnerabilities in Windows and Windows Components, Office and Office Components, .NET and Visual Studio, Azure, Nuance PowerScribe, Remote Desktop Gateway Service, and Microsoft Defender. Of the fl

May 13, 2025

Fortinet fixed actively exploited FortiVoice zero-day

IoC > 6 IPs

•

by Pierluigi Paganini / 1d

•

7 TTPs

•

CVE-2025-32756

Fortinet fixed a critical remote code execution zero-day vulnerability actively exploited in attacks targeting FortiVoice enterprise phone systems. Fortinet released security updates to address a critical remote code execution zero-day, tracked as CVE-2025-32756 , that was exploited in attacks targeting FortiVoice enterprise phone systems. The vulnerability is a stack-based overflow issue that im

How Interlock Ransomware Affects the Defense Industrial Base Supply Chain

by Pierluigi Paganini / 1d

Interlock Ransomware ‘s attack on a defense contractor exposed global defense supply chain details, risking operations of top contractors and their clients. Resecurity envisions the cascading effects on the defense supply chain due to ransomware activity. In the recent incident, by attacking a defense contractor, Interlock Ransomware uncovered details about the supply chains and operations of man

Marks and Spencer confirms data breach after April cyber attack

4 TTPs

•

by Pierluigi Paganini / 1d

•

Hackers target M&S hinting politics

Marks and Spencer (M&S) confirms that threat actors stole customer data in the ransomware attack that hit the company in April. In April, Marks and Spencer Group plc (M&S) announced it had been managing a cyber incident in recent days with the help of external cyber security experts. Customers report outages affecting card payments, gift cards, and M&S’s Click and Collect service across electroni

Moldovan Police arrested a 45-year-old foreign man participating in ransomware attacks on Dutch companies

Moldovan man arrested for ransomware

•

by Pierluigi Paganini / 2d

A 45-year-old foreign man has been arrested in Moldova for allegedly participating in ransomware attacks on Dutch companies in 2021. Moldovan police arrested a 45-year-old foreign man as a result of a joint international operation involving Moldovan and Dutch authorities. He is internationally wanted for multiple cybercrime, including ransomware attacks, blackmail, and money laundering, targeting

APT group exploited Output Messenger Zero-Day to target Kurdish military operating in Iraq

IoC > 1 domain

•

by Pierluigi Paganini / 2d

•

11 TTPs

•

CVE-2025-27920

A Türkiye-linked group used an Output Messenger zero-day to spy on Kurdish military targets in Iraq, collecting user data since April 2024. Since April 2024, the threat actor Marbled Dust (aka Sea Turtle , Teal Kurma, Marbled Dust, SILICON and Cosmic Wolf) has exploited a zero-day flaw ( CVE-2025-27920 ) in Output Messenger to target Kurdish military-linked users in Iraq, collecting user data and

May 12, 2025

Apple released security updates to fix multiple flaws in iOS and macOS

by Pierluigi Paganini / 2d

Apple released security updates to address easily exploitable vulnerabilities impacting iOS and macOS devices. Apple released urgent iOS and macOS security updates to patch critical flaws that could allow attackers to execute malicious code just by opening a crafted image, video, or website: AppleJPEG CVE-2025-31251 – Processing a maliciously crafted media file may lead to unexpected app terminat

U.S. CISA adds TeleMessage TM SGNL to its Known Exploited Vulnerabilities catalog

Collection (Enterprise TA0009)

•

by Pierluigi Paganini / 2d

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds TeleMessage TM SGNL flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a TeleMessage TM SGNL flaw, tracked as CVE-2025-47729 (CVSS score of 1.9), to its Known Exploited Vulnerabilities (KEV) catalog . “The TeleMessage archiving backend through 2025-05-05 holds

Researchers found one-click RCE in ASUS’s pre-installed software DriverHub

by Pierluigi Paganini / 2d

Expert found two flaws in DriverHub, pre-installed on Asus motherboards, which allow remote code execution via crafted HTTP requests. Security researcher ‘MrBruh’ discovered two vulnerabilities, tracked as CVE-2025-3462 (CVSS score of 8.4) and CVE-2025-3463 (CVSS score of 9.4), in DriverHub, a driver that is pre-installed on Asus motherboards. A remote attacker can exploit the flaws to gain arbit

May 11, 2025

German police seized eXch crypto exchange

Germany seizes 34M euros from eXch

•

by Pierluigi Paganini / 3d

Germany’s BKA shut down eXch crypto exchange, seizing its infrastructure over money laundering and illegal trading platform charges. On April 30, 2025, Germany’s Federal Criminal Police (BKA) shut down the eXch crypto exchange (eXch.cx), seizing its infrastructure over money laundering and illegal trading allegations. ZIT, BKA, and Dutch FIOD led the operation, expecting the evidence to aid other

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 45

by Pierluigi Paganini / 3d

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape iClicker site hack targeted students with malware via fake CAPTCHA New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms Backdoor found in popular ecommerce components Stealthy Linux backdoor leveraging residential proxies and NHAS reverse SSH

Security Affairs newsletter Round 523 by Pierluigi Paganini – INTERNATIONAL EDITION

by Pierluigi Paganini / 3d

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Ascension reveals personal data of 437,329 patients exposed in cyberattack Operation Moonlander dismantled the botnet behind Anyproxy and 5socks cybercrim

Google will pay Texas $1.4 billion over its location tracking practices

Google settles Texas privacy lawsuits

•

by Pierluigi Paganini / 3d

Google will pay the U.S. state of Texas $1.4B to settle lawsuits over unauthorized location tracking and facial recognition data retention. Google will pay nearly $1.4 billion to the state of Texas to settle two lawsuits over tracking users’ locations and storing biometric data without consent. The $1.375 billion settlement far exceeds previous fines over its location tracking practices: $391 mil

May 10, 2025

Operation Moonlander dismantled the botnet behind Anyproxy and 5socks cybercriminals services

8 TTPs

•

by Pierluigi Paganini / 4d

•

FBI and Dutch police shut down botnet

Law enforcement dismantled a 20-year botnet behind Anyproxy and 5socks cybercriminals services and arrested four suspects. Authorities dismantled a 20-year-old botnet tied to Anyproxy and 5socks as part of an international operation codenamed “Operation Moonlander”; four men, including three Russians, were indicted for running the illegal proxy networks. The U.S. Justice Department charged Russia

May 9, 2025

Cybercriminal services target end-of-life routers, FBI warns

by Pierluigi Paganini / 6d

The FBI warns that attackers are using end-of-life routers to deploy malware and turn them into proxies sold on 5Socks and Anyproxy networks. The FBI released a FLASH alert warning about 5Socks and Anyproxy malicious services targeting end-of-life (EOL) routers. Attackers target EoL devices to deploy malware by exploiting vulnerabilities and create botnets for attacks or proxy services. The alert

May 8, 2025

Russia-linked ColdRiver used LostKeys malware in recent attacks

COLDRIVER uses LOSTKEYS malware

•

by Pierluigi Paganini / 6d

Since early 2025, Russia-linked ColdRiver has used LostKeys malware to steal files in espionage attacks on Western governments and organizations. Google’s Threat Intelligence Group discovered LOSTKEYS, a new malware used by Russia-linked APT COLDRIVER , in recent attacks to steal files and gather system info. The ColdRiver APT (aka “ Seaborgium “, “Callisto”, “Star Blizzard”, “TA446”) is a Russia

SonicWall fixed SMA 100 flaws that could be chained to execute arbitrary code

by Pierluigi Paganini / 6d

SonicWall addressed three SMA 100 flaws, including a potential zero-day, that could allow remote code execution if chained. SonicWall patches three SMA 100 vulnerabilities (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821), including a potential zero-day, that could be chained by a remote attacker to execute arbitrary code. The first flaw, tracked as CVE-2025-32819 (CVSS score of 8.8), is a Pos

The LockBit ransomware site was breached, database dump was leaked online

LockBit ransomware gang hacked database exposed

•

by Pierluigi Paganini / 6d

Lockbit ransomware group has been compromised, attackers stole and leaked data contained in the backend infrastructure of their dark web site. Hackers compromised the dark web leak site of the LockBit ransomware gang and defaced it, posting a message and a link to the dump of the MySQL database of its backend affiliate panel. “Don’t do crime CRIME IS BAD xoxo from Prague,” reads the message publi

Cisco fixed a critical flaw in its IOS XE Wireless Controller

CVE-2025-20188 & 16 others

•

by Pierluigi Paganini / 7d

Cisco addressed a flaw in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files. Cisco released software updates to address a vulnerability, tracked as CVE-2025-20188 (CVSS score 10), in IOS XE Wireless Controller. An unauthenticated, remote attacker can exploit the flaw to load arbitrary files to a vulnerable system. An attacker can exploi

May 7, 2025

U.S. CISA adds GoVision device flaws to its Known Exploited Vulnerabilities catalog

6 TTPs

•

by Pierluigi Paganini / 7d

•

CVE-2024-11120

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds GoVision device flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Qualitia Active! Mail, Broadcom Brocade Fabric OS, and Commvault Web Server flaws to its Known Exploited Vulnerabilities (KEV) catalog . Below are the descriptions for these flaws: CVE-2024-60

Polish authorities arrested 4 people behind DDoS-for-hire platforms

Police arrest DDoS-for-hire suspects

•

by Pierluigi Paganini / 7d

Polish police arrested 4 people behind DDoS-for-hire platforms used in global attacks, offering takedowns for as little as €10 via six stresser services. Polish authorities arrested 4 people linked to 6 DDoS-for-hire platforms, Cfxapi, Cfxsecurity, neostress, jetstress, quickdown, and zapcut, used to launch attacks worldwide for as little as €10. The platforms were used to carry out thousands of

Play ransomware affiliate leveraged zero-day to deploy malware

11 TTPs

•

by Pierluigi Paganini / 7d

The Play ransomware gang exploited a high-severity Windows Common Log File System flaw in zero-day attacks to deploy malware. The Play ransomware gang has exploited a Windows Common Log File System flaw, tracked as CVE-2025-29824 , in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems. The vulnerability CVE-2025-29824 , (CVSS score of 7.8) is a Use after free in

Canary Exploit tool allows to find servers affected by Apache Parquet flaw

6 TTPs

•

by Pierluigi Paganini / 7d

F5 Labs researchers released a PoC tool to find servers vulnerable to the Apache Parquet vulnerability CVE-2025-30065. A working proof-of-concept exploit for the critical Apache Parquet vulnerability CVE-2025-30065 has been released by F5 Labs, allowing the identification of vulnerable servers. The tool, called “canary exploit,” is available on the security firm’s GitHub repository . Apache Parqu

Unsophisticated cyber actors are targeting the U.S. Energy sector

Impact (Enterprise TA0040)

•

by Pierluigi Paganini / 8d

CISA, FBI, EPA, and DoE warn of cyberattacks on the U.S. Energy sector carried out by unsophisticated cyber actors targeting ICS/SCADA systems. The US cybersecurity agency CISA, the FBI, EPA, and the DoE issued a joint alert to warn of cy