Europol Announces New Task Force to Combat Violence-as-a-Service — Europol has created a new operational task force designed to tackle a growing problem of youngsters being groomed or coerced into being recruited by criminal service provider groups that specialize in online and physical attacks. Known as OTF GRIMM, the task force seeks to disrupt violence-as-a-service and brings together law enforcement authorities from Belgium, Denmark, Finland, France, Germany, the Netherlands, and Norway. These schemes involve recruiting young people via social media platforms and messaging apps using coded language, memes, and gamified tasks, luring them with the promise of a luxurious lifestyle. The intention behind this deliberate act by criminal networks is to reduce their own risk and shield themselves from law enforcement. "The exploitation of young perpetrators to carry out criminal acts has emerged as a fast-evolving tactic used by organized crime," the agency said. "Violence-as-a-service refers to the outsourcing of violent acts to criminal service providers — often involving the use of young perpetrators to carry out threats, assaults, or killings for a fee." China Accuses the U.S. of Launching Cyber Attack — U.S. intelligence agencies reportedly launched cyber attacks against a major Chinese commercial cryptography provider in 2024, stealing 6.2 GB of critical project data, according to a report from China's National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT/CC). The attack is said to have exploited an undisclosed vulnerability in the company's customer relationship management system to gain access, implanting a custom trojan for remote control and data theft. "The compromised system contained over 600 user accounts, 8,000 customer profile records, and more than 10,000 contract orders, some involving key Chinese government entities," Global Times reported. Earlier this January, the agency said it had "handled two incidents of cyber attacks [that] originated from the United States on China's large-scale tech firms to steal trade secrets." The activities targeted an advanced materials design and research institution in China in August 2024 and a large-scale high-tech firm in May 2023. BreachForums compromised in a zero-day attack on MyBB Software — BreachForums (breachforums[.]sx) has been resurrected after a previous version hosted on "breachforums[.]st" was taken offline through a MyBB zero-day exploit as part of a law enforcement action, the site's new administrator Momondo claimed. The cybercrime forum was first taken down in 2023 and its original administrator Conor Brian Fitzpatrick (aka Pompompurin) arrested for operating the site. Since then, the site has resurfaced time and again using a revolving door of administrators and site addresses. Two Arrested in Connection With JokerOTP Operation — Two individuals, a 24-year-old man from Middlesbrough and a 30-year-old from the Oost-Brabant region of The Netherlands, have been arrested in a joint international operation dismantling JokerOTP, a sophisticated phishing tool used to intercept two-factor authentication (2FA) codes and steal over £7.5 million. "Over a two-year period, the tool is believed to have been used across 13 countries and over 28,000 times. It is suspected that financial accounts have been compromised, totaling £7.5 million," Cleveland Police’s Cyber Crime Unit said. Microsoft Details CVE-2025-31191 macOS Flaw — Microsoft has shared details on CVE-2025-31191, a macOS vulnerability in Apple's CoreServices component that could allow a malicious app to access sensitive user data. Apple addressed the issue in late March 2025 with macOS Sequoia 15.4. According to Microsoft researcher Jonathan Bar Or, the flaw could "allow specially crafted codes to escape the App Sandbox and run unrestricted on the system." In other words, an attacker could create an exploit to escape the macOS sandbox without user interaction and perform further malicious actions like elevating privileges, exfiltrating data, and deploying additional payloads. The company also detailed an attack scenario wherein the exploit "could allow an attacker to delete and replace a keychain entry used to sign security-scoped bookmarks to ultimately escape the App Sandbox without user interaction." Security-scoped bookmarks are a mechanism designed by Apple to specifically get around the App Sandbox rules using explicit, persistent user choices. New Supply Chain Attack Targets Magento Sites — In what has been described as a "coordinated supply chain attack," hundreds of e-commerce stores running Magento have been backdoored since late April 2025. Sansec said it identified 21 application packages from vendors Tigren, Meetanshi, and MGS with the same backdoor. It has been found that the infrastructure associated with these vendors has been breached to inject backdoors into their download servers. "The backdoor consists of a fake license check in a file called License.php or LicenseApi.php," Sansec said. "The evil is in the adminLoadLicense function, which executes $licenseFile as PHP." Specifically, it includes code to upload arbitrary payloads like web shells, which could then be used to perform various malicious actions. The backdoor injections occurred six years ago, but it wasn't until April 2025 that they were activated to take control of the servers. U.S. House Passes Bill to Study Router Risks — A bill requiring the U.S. Department of Commerce to study national security issues posed by routers and modems controlled by U.S. adversaries passed the House of Representatives. Called the Removing Our Unsecure Technologies to Ensure Reliability and Security (ROUTERS) Act, it aims to safeguard Americans' communications networks from foreign-adversary controlled technology such as routers and modems. The proposed legislation mandates the Department of Commerce to assess the risks posed by routers, modems, and other devices developed, manufactured, or supplied by its adversaries like China, Russia, Iran, North Korea, Cuba, or Venezuela. New OpenEoX Framework Published to Coordinate Product End-of-Life Security Disclosures — Tech giants Cisco, Dell Technologies, IBM, Microsoft, Oracle, Red Hat, and others have teamed up for a new OpenEoX framework that hopes to standardize end-of-life (EoL) and end-of-support (EoS) information to better protect the supply chain and combat cybersecurity risks linked to unsupported software and hardware. "OpenEoX introduces a much-needed, unified framework designed to streamline the exchange of end-of-life (EoL) and end-of-security-support (EoSSec) data that enables transparency and efficiency," said Omar Santos, OpenEoX co-chair and Cisco Distinguished Engineer. Hackers Scan for Leaked Git Tokens and Secrets — Threat intelligence firm GreyNoise said it has observed a significant increase in crawling activity targeting Git configuration files between April 20 and 21, 2025, likely in an attempt to access internal codebases, developer workflows, and potentially sensitive credentials. Nearly 4,800 unique IP addresses have participated in the effort that mainly targeted Singapore, the U.S., Germany, the United Kingdom, and India. There have been four such spikes since September 2024, the other three instances being November 2024, December 2024, and early March 2024. The development comes as GreyNoise also said it has witnessed a "sharp and sustained decline" in opportunistic scanning of Palo Alto Networks PAN-OS GlobalProtect portals. "The majority of IPs involved in this activity are associated with the provider, 3xK Tech GmbH – accounting for nearly 20,000 of the 25,000+ IPs observed in the past 90 days," it said. Garantex Likely Rebrands as Grinex — The now-sanctioned cryptocurrency exchange Garantex, which had its website seized in March 2025 by law enforcement, has likely rebranded as Grinex, TRM Labs revealed. "Days after Garantex's takedown, Telegram channels affiliated with the exchange began promoting Grinex, a platform with a nearly identical interface, registered in Kyrgyzstan in December 2024," the company said. Grinex has since announced it had entered into an agreement with Garantex to onboard its clients and was considering hiring former Garantex employees. It has also begun to distribute former Garantex user assets through a new token, A7A5. "From as early as January 2025, Garantex began moving funds into A7A5, a purported stablecoin pegged to the Russian ruble. Promoted as a means to recover frozen user assets, A7A5 appears engineered to evade sanctions, offering daily profit-sharing and anonymity through platforms like TRON and Ethereum," TRM Labs said. Flaws Disclosed in Jan AI — Multiple security flaws (CVE-2025-2439, CVE-2025-2445, CVE-2025-2446, and CVE-2025-2447) have been disclosed in Menlo Research's Jan AI, an offline ChatGPT alternative, that could be exploited by remote, unauthenticated attackers to manipulate systems, "With vulnerabilities ranging from missing CSRF protection of state-changing endpoints to command injection, an attacker can leverage these to take control of a self-hosted server or issue drive-by attacks against LLM developers," Snyk said. The issues have since been addressed. New macOS Malware Families Detailed — Kandji researchers have flagged a new suspicious macOS program called PasivRobber that's capable of gathering data from various apps like WeChat, QQ, web browsers, and email clients, among others through 28 different plugins. The tool is believed to be linked to a Chinese company called Meiya Pico, which develops forensic tools and was previously identified by the U.S. Treasury Department as one of the eight firms that "support the biometric surveillance and tracking of ethnic and religious minorities in China, particularly the predominantly Muslim Uyghur minority in Xinjiang." The disclosure coincided with the discovery of another malware called ReaderUpdate that acts as a loader to serve the Genieo (aka DOLITTLE) adware, with variants of the malware written in Python, Crystal, Nim, Rust, and Go. The malware, first detected in 2020, has been distributed via free and third-party software download sites, in the form of package installers containing fake or trojanized utility applications. "Where compromised, hosts remain vulnerable to the delivery of any payload the operators choose to deliver, whether of their own or sold as Pay-Per-Install or Malware-as-a-Service on underground markets," the company said. Apple Sends Out Notifications for Spyware Attacks — Apple has sent out threat notifications advising users in 100 countries that their phones may have been targeted by advanced commercial spyware. This included an Italian journalist and a Dutch activist, according to TechCrunch. It's not yet clear what spyware campaign, if known, the Apple notifications relate to. Apple has been sending out such notices to those targeted in state-sponsored attacks since 2021. The news comes as the Meta-NSO Group case has moved to the next phase, with Meta asking the spyware company to pay over $440,000 in compensatory damages. NSO Group, in response, has accused Meta of inflating its damages and letting the malware remain on WhatsApp servers to "steal NSO's trade secrets." France Accuses Russia of Years of Cyber Attacks — France's foreign ministry has accused Russia's GRU military intelligence agency of mounting cyber attacks on a dozen entities including ministries, defense firms, research entities, and think tanks since 2021 in an attempt to destabilize the nation. The attacks have been linked to a hacking group called APT28 (aka BlueDelta or Fancy Bear). The ministry said APT28's attacks on France go as far back as 2015, when French television channel TV5Monde was targeted, and that the formidable military intelligence hackers have sought to obtain strategic intelligence from entities across Europe and North America. The intrusions are said to have relied on phishing, vulnerability exploitation (e.g., CVE-2023-23397), poorly-secured edge devices, and brute-force attacks against webmail as initial access vectors, while also repeatedly targeting Roundcube email servers to exfiltrate inbox data and using phishing emails to distribute malware families like HeadLace and OCEANMAP, while attempting to evade detection by hiding behind low-cost and ready-to-use outsourced infrastructure. The development comes as Russia-aligned hacktivists like NoName057(16) have taken responsibility for large-scale DDoS attacks targeting Dutch organizations as a payback for sending €6 billion in military aid to Ukraine. Cloudflare Blocks 20.5M DDoS attacks in Q1 2025 — Speaking of DDoS attacks, Cloudflare said it blocked 20.5 million of them in the first quarter of 2025, a 358% year-over-year (YoY) increase and a 198% quarter-over-quarter (QoQ). In comparison, it blocked 21.3 million DDoS attacks during the calendar year 2024. "Of the 20.5 million DDoS attacks blocked in Q1, 16.8 million were network-layer DDoS attacks, and of those, 6.6M targeted Cloudflare’s network infrastructure directly," it noted. "Another 6.9 million targeted hosting providers and service providers protected by Cloudflare." These attacks were part of an 18-day multi-vector DDoS campaign comprising SYN flood attacks, Mirai-generated DDoS attacks, and SSDP amplification attacks. The web infrastructure company said it also blocked approximately 700 hyper-volumetric DDoS attacks that exceeded 1 Tbps or 1 Bpps. In late April 2025, the company revealed it mitigated a record-breaking DDoS attack peaking at 5.8 Tbps, which lasted for approximately 45 seconds. The previous record was a 5.6 Tbps DDoS attack that leveraged a Mirai-based botnet comprising 13,000 devices. Babuk2 Bjorka Represents Data Commoditization at Scale — Cybersecurity researchers have shed light on a cybercrime operation called Babuk2 Bjorka that ostensibly masquerades as an evolution of the Babuk RaaS operation, but, in reality, is an "industrial scale data commoditization enterprise" that works by selling recycled stolen data from other ransomware groups on cybercrime forums. "The group is not just copying and pasting old leaks; they're building a brand, establishing a market presence, and creating a sustainable operational model," Trustwave SpiderLabs said. FBI Shares List of 42,000 LabHost Phishing Domains — The U.S. Federal Bureau of Investigation (FBI) has released a massive list of 42,000 phishing domains tied to the LabHost cybercrime platform, which was dismantled in April 2024. These domains, obtained from the backend servers, were registered between November 2021 and April 2024. "Though the LabHost domains are historical in nature, this list of over 42,000 domains may provide insight for network defenders and cyber threat intelligence personnel on adversary tactics and techniques," the FBI said. Polish Police Disrupts Cybercrime Gang — Polish authorities have dismantled an international cybercrime group accused of defrauding dozens of victims out of nearly $665,000. Nine people aged between 19 to 51 have been arrested in connection with the case. The suspects are believed to have posed as bank employees and law enforcement officers to trick victims into transferring funds to accounts under their control. At least 55 people were targeted as part of the scam since April 2023. Critical Security Flaws in Browser Wallets — Security vulnerabilities have been identified in browser wallets such as Stellar Freighter, Frontier Wallet, and Coin98 that could permit attackers to drain funds without requiring any social engineering or phishing attempts. "Simply visiting the wrong site could silently expose your recovery phrase, allowing attackers to drain your funds whenever they want," Coinspect said. "A malicious site could steal the secret recovery phrase even when the wallet was locked and without requiring any user approval to connect." There is no evidence that the shortcomings were exploited in the wild. New Reverse NFCGate Technique Revealed — The legitimate NFCGate application, which is used to capture, analyze, or modify near-field communication (NFC) traffic from Android devices, has been misused to steal 40 million rubles from Russian bank customers as of January 2025, cybersecurity firm F6 has revealed. Fraudsters have been observed modifying the application, masking it as government and banking services to carry out their activities. Last month, it noted that the total amount of damage from attacks on customers of Russian banks using NFCGate-based malware for the first two months of 2025 is estimated at almost 200 million rubles. In March 2025, there were an estimated 180 thousand compromised devices in Russia, on which NFCGate and another malware called CraxsRAT were installed. But in what appears to be a further escalation of the threat actor's tactics, a new attack scheme known as reverse NFCGate has come to light. The attacks seek to trick victims into downloading a malicious app to secure their accounts. Once installed and opened, the victims are notified via a pop-up window that they need to set the malware as the default application for contactless payments. The attack then directs them to the ATM to deposit money into their own accounts under various pretexts. "In the reverse version of NFCGate, the application uses the ability to relay NFC traffic to transmit the drop card data to the user's device," F6 said. "When, as a result of the fraudulent attack, the victim comes to the ATM to deposit money into their account, they will place their smartphone on the ATM's NFC module, but instead of their card, they will log in with the drop card, to whom the entire amount will be sent." As many as 175,000 compromised devices have been detected in the country as of March 2025, with over 1,000 confirmed attacks conducted on clients of leading Russian banks using the reverse version of NFCGate. The average amount of damage from attacks using the reverse version of NFCGate is 100 thousand rubles.
|
|
|
|
|
|
Comments
Post a Comment
Please leave a comment about our recent post.