Microsoft RDP services Targeted by Malicious Scans — Microsoft's Remote Desktop Protocol (RDP) services have been hit with a torrent of malicious scans from tens of thousands of IP addresses in recent days, indicating a coordinated reconnaissance campaign. "The wave's aim was clear: test for timing flaws that reveal valid usernames, laying the groundwork for credential-based intrusions," GreyNoise said. The activity took place over two waves on August 21 and 24, with thousands of unique IP addresses simultaneously probing both Microsoft RD Web Access and Microsoft RDP Web Client authentication portals. Flaw in TheTruthSpy Spyware — A vulnerability in TheTruthSpy spyware app can allow bad actors to take over any account and retrieve collected victim data. The vulnerability exploits an issue with the app's password recovery process to change the password of any account. TheTruthSpy told TechCrunch it can't fix the bug because it "lost" the app's source code. Russia's Max App Logs User Activity — The Russian government's WhatsApp rival, Max, is constantly monitoring and logging all user activity. According to Corellium's technical analysis, the app doesn't use encryption and tracks user location in real-time and with high accuracy. Developed by Russian tech giant VK, the app has been made mandatory and must be installed on all mobile devices sold in Russia after September 1, 2025. The app was initially launched earlier this March. OpenSSH's PQC Play — OpenSSH said it will start showing warnings when users connect to an SSH server that does not have post-quantum cryptography protections starting with OpenSSH 10.1. "The ideal solution is to update the server to use an SSH implementation that supports at least one of these," the maintainers said. "OpenSSH versions 9.0 and greater support sntrup761x25519-sha512 and versions 9.9 and greater support mlkem768x25519-sha256. If your server is already running one of these versions, then check whether the KexAlgorithms option has disabled their use." Credential Harvesting Campaign Targets ScreenConnect Super Admin Accounts — A low-volume campaign is targeting ScreenConnect cloud administrators with fake email alerts warning about a potentially suspicious login event with the goal of stealing their credentials for potential ransomware deployment. The activity, ongoing since 2022, has been attributed by Mimecast to MCTO3030. "The campaign employs spear phishing emails delivered through Amazon Simple Email Service (SES) accounts, targeting senior IT professionals, including directors, managers, and security personnel with elevated privileges in ScreenConnect environments," the company said. "The attackers specifically seek super administrator credentials, which provide comprehensive control over remote access infrastructure across entire organizations." The attackers are using the open source Evilginx framework to provision these phishing pages and to act as a reverse proxy between the victim and the real site. The framework can capture both login credentials and session cookies. More ScreenConnect-Themed Campaigns Discovered — Another campaign has leveraged phishing emails with fake Zoom meeting invitations and Microsoft Teams calls to lead victims to malicious links that download the ScreenConnect software. "The weaponization of a legitimate IT administration tool – one designed to grant IT professionals deep system access for troubleshooting and maintenance – combined with social engineering and convincing business impersonation creates a multi-layered deception that provides attackers with the dual advantage of trust exploitation and security evasion," Abnormal AI said. The campaign has so far targeted more than 900 organizations, impacting a broad range of sectors and geographies. A separate campaign has also been observed using fake AI-themed content to lure users into executing a malicious, pre-configured ScreenConnect installer, which then acts as an entry point for the XWorm malware, per Trustwave. In a related development, attackers have been observed weaponizing Cisco's secure links ("secure-web.cisco[.]com") in credential phishing campaigns to evade link scanning and by-pass network filters. "Attackers compromise or create accounts within Cisco-protected organizations," Raven AI said. "They simply email themselves malicious links, let Cisco's system rewrite them into Safe Links, then harvest these URLs for their campaigns." A similar campaign exploiting Proofpoint links was disclosed by Cloudflare in July 2025. TRM Labs Warns of Scam Campaign Impersonating the Firm — Blockchain intelligence company said it's aware of individuals using false domains to impersonate TRM Labs and/or government agencies working in collaboration with TRM Labs. "These are not TRM Labs domains, and the actors behind these are scammers," the company said. "TRM Labs is not involved in fund recovery processes for victims and does not partner with government agencies for the purposes of fund recovery. Unfortunately, these types of scams deliberately target vulnerable people, often when they’re financially vulnerable, having potentially already lost funds to scams." The warning comes against the backdrop of an alert issued by the U.S. Federal Bureau of Investigation (FBI), urging cryptocurrency scam victims to be on the lookout for scams where fraudsters pose as lawyers representing fictitious law firms to help them assist with fund recovery, only to deceive them a second time. New Ransomware Strains Detected — A new ransomware strain going by the name of Cephalus has been spotted in the wild. In incidents observed around mid-August 2025, the group behind the locker used compromised RDP accounts for initial access and used the cloud storage service MEGA for likely data exfiltration purposes. The development comes as the Underground and NightSpire ransomware gangs have launched ransomware attacks against companies in various countries and industries, including South Korea. In another attack analyzed by eSentire, compromised third-party MSP SonicWall SSL VPN credentials served as an initial access pathway for Sinobi, a rebrand of the Lynx ransomware. "Using the compromised account, the threat actors executed commands to create a new local administrator account, set its password, and add it to the domain administrators group," eSentire said. "Both the initial compromised account and the newly created account were subsequently used for lateral movement throughout the network." Most Active Ransomware Groups — Akira, Cl0p, Qilin, Safepay, and RansomHub were the most active ransomware groups in the first half of 2025, per Flashpoint, which found that ransomware attacks increased by 179% compared to the 2024 midyear. The development comes amid notable changes in the ransomware ecosystem, where threat actors increasingly prefer extortion over encryption and have begun to incorporate LLMs in their tooling. The landscape has also continued to splinter, with new gangs and rebrands proliferating in the wake of law enforcement takedowns. MalwareBytes said it tracked 41 newcomers between July 2024 and June 2025, with more than 60 total ransomware gangs operating at once. Microsoft to Throttle Emails to Combat Spam — Microsoft said it will begin throttling emails starting October 15, 2025. The limit will be set to 100 external recipients per organization per 24-hour rolling window. From December 1, the tech giant will start rolling out the restrictions across tenants, starting with tenants with fewer than three seats and eventually reaching tenants with more than 10,001 seats by June 2026. "Despite our efforts to minimize abuse, spammers often exploit newly created tenants to send bursts of spam from '.onmicrosoft.com' addresses before we can intervene," Microsoft said. "This degrades this shared domain’s reputation, affecting all legitimate users. To ensure brand trust and email deliverability, organizations should establish and use their own custom domains for sending email." SleepWalk, a Physical Side-Channel Attack to Leak Data — A group of academics from the University of Florida has devised a new hardware side-channel attack dubbed SleepWalk that exploits context switching and CPU power consumption to leak sensitive data like cryptographic keys. "We introduce a physical power side-channel leakage source that exploits the power spike observed during a context switch, triggered by the inbuilt sleep function of the system kernel," the researchers said. "We observed that this power spike directly correlates with both the power consumption during context switching and the residual power consumption of the previously executed program. Notably, the persistence of residual power signatures from previous workloads extends the scope of this side-channel beyond extracting the data in registers during the context switch. Unlike traditional approaches that require analyzing full power traces, applying complex preprocessing, or relying on external synchronization triggers, this novel technique leverages only the amplitude of a single power spike, significantly simplifying the attack." AI Systems Vulnerable to Prompt Injection via Image Scaling Attack — In a novel form of prompt injection attacks aimed at artificial intelligence (AI) chatbots, attackers can hide malicious instructions inside large-scale images and have the prompts execute when the AI agent downscales them. The attacker's prompt is invisible to the human eye in the high-resolution image, but shows up when the image is downscaled by preprocessing algorithms. "This attack works because AI systems often scale down large images before sending them to the model: when scaled, these images can reveal prompt injections that are not visible at full resolution," Trail of Bits said. The cybersecurity company has released an open-source tool called Anamorpher to generate such crafted images. Social Media Accounts Launder News from Chinese State Media Sites — A network of 11 domains and 16 companion social media accounts across Facebook, Instagram, Mastodon, Threads, and X has been found laundering exclusively English-language articles originally published by the Chinese state media outlet CGTN. "The assets almost certainly used AI tools to translate and summarize articles from CGTN, likely in an attempt to disguise the content's origin," Graphika said. "The network assets disseminated primarily pro-China, anti-West content in English, French, Spanish, and Vietnamese." The findings came as the U.S. told Denmark to "calm down" over allegations of covert influence operations by U.S. citizens in Greenland to sow discord between Denmark and Greenland and to promote Greenland's secession from Denmark to the U.S. Analyzing Secret Families of VPN Apps — New research conducted by the Arizona State University and Citizen Lab has found that nearly two dozen VPN applications in Google Play contain security weaknesses impacting the privacy of their users, exposing transmitted data to decryption risks. Further analysis has determined that eight VPN applications from Innovative Connecting, Autumn Breeze, and Lemon Clove (Turbo VPN, Turbo VPN Lite, VPN Monster, VPN Proxy Master, VPN Proxy Master – Lite, Snap VPN, Robot VPN, and SuperNet VPN) share code, dependencies, outdated and unsafe encryption methods, and hard-coded passwords, potentially allowing attackers to decrypt the traffic of their users. Cumulatively, these apps have over 380 million downloads on Google Play. All three companies were found to have ties with Qihoo 360, a Chinese cybersecurity firm that the U.S. sanctioned in 2020. Security Risks in the eSIM Ecosystem — A new study undertaken by academics from Northeastern University has found that many providers associated with eSIMs route user data through foreign telecommunications networks, including Chinese infrastructure, regardless of user location. "Many travel eSIMs route user traffic through third-party infrastructure, often located in foreign jurisdictions," the researchers said. "This may expose user metadata and content to networks outside the user’s country, raising concerns about jurisdictional control and surveillance." What's more, the digital provisioning model creates new opportunities for phishing and spoofing. Malicious actors can distribute fake eSIM profiles via fraudulent QR codes or websites, tricking users into installing unauthorized configurations. ComfyUI Flaw Exploited to Deliver Pickai Backdoor — Threat actors have exploited vulnerabilities in an artificial intelligence (AI) platform called ComfyUI to deliver a backdoor called Pickai. "Pickai is a lightweight backdoor written in C++, designed to support remote command execution and reverse shell access," XLab said, adding it "includes anti-debugging, process name spoofing, and multiple persistence mechanisms." Pickai samples have been observed hosted on the official site of Rubick.ai, a commercial AI-powered platform serving the e-commerce sector across the U.S., India, Singapore, and the Middle East. Early versions of the malware were uploaded to VirusTotal as far back as February 28, 2025. The activity has compromised nearly 700 infected servers worldwide, mainly in Germany, the U.S., and China. Flaw in LSQUIC QUIC Disclosed — Cybersecurity researchers have discovered a vulnerability dubbed QUIC-LEAK (CVE-2025-54939) in the LSQUIC QUIC implementation, allowing threat actors to smuggle malformed packets to exhaust memory and crash QUIC servers even before a connection handshake is established, thereby bypassing QUIC connection-level safeguards. The issue has been fixed in OpenLiteSpeed 1.8.4 and LiteSpeed Web Server 6.3.4. Fake Sites Pushing YouTube Downloads Serve Proxyware — Proxyware programs are being distributed through YouTube sites that allow users to download videos. Attackers who previously installed DigitalPulse and HoneyGain Proxywares are also installing Infatica Proxyware. Similar to coin miners, Proxyware malware profits by utilizing the system’s resources, and many systems in South Korea have recently become the targets of these attacks. U.S. Senator Castigates Federal Judiciary for Negligence — U.S. Senator Ron Wyden accused the federal judiciary of "negligence and incompetence" following a recent hack, reportedly by hackers with ties to the Russian government, that exposed confidential court documents. The breach of the judiciary’s electronic case filing system first came to light in a report by Politico three weeks ago, which went on to say that the vulnerabilities exploited in the hack were known since 2020. The New York Times, citing people familiar with the intrusion, said that Russia was "at least partly responsible" for the hack. "The federal judiciary’s current approach to information technology is a severe threat to our national security," Wyden wrote. "The courts have been entrusted with some of our nation's most confidential and sensitive information, including national security documents that could reveal sources and methods to our adversaries, and sealed criminal charging and investigative documents that could enable suspects to flee from justice or target witnesses." Law Enforcement Freezes $50M in Crypto Assets Tied to Romance Baiting Scams — Several cryptocurrency companies, including Chainalysis, OKX, Binance, and Tether, have come together to freeze nearly $50 million stolen via "romance baiting" scams in collaboration with APAC-based authorities. "Once funds were transferred, scammers then sent proceeds to a consolidation wallet which transferred $46.9 million in USDT [Tether] to a collection of three intermediary addresses," Chainalysis said. "The funds then moved to five different wallets." The funds were frozen by Tether in July 2024. South Korea Extradites Chinese National for Cyber Attacks — South Korean authorities have successfully extradited a 34-year-old Chinese national suspected of orchestrating one of the most sophisticated hacking operations targeting high-profile individuals and financial institutions. He is alleged to have stolen 38 billion won from financial accounts and virtual asset accounts. Anthropic and OpenAI Test Each Other's AI — OpenAI has called on AI firms to test their rivals' systems for safety, as the company and Anthropic conducted safety evaluations of each other's AI systems to tackle risks like prompt injection and model poisoning. The development came as Anthropic revealed that a cybercriminal abused its agentic AI coding tool to automate a large-scale data theft and extortion campaign, marking a "new evolution" in how AI is super-charging cybercrime. The chatbot then analyzed the companies' hacked financial documents to help arrive at a realistic amount of bitcoin to demand in exchange for not leaking the stolen material. It also wrote suggested extortion emails. "The operation demonstrates a concerning evolution in AI-assisted cybercrime, where AI serves as both a technical consultant and active operator, enabling attacks that would be more difficult and time-consuming for individual actors to execute manually." Where years of specialized training once throttled the ability of bad actors to pull off attacks at scale, the new wave of AI-assisted cybercrime could further lower technical barriers, allowing even novices and unskilled operators to carry out complex activities with ease. Separately, Anthropic has announced a policy change to train its AI chatbot Claude with user data, giving existing users until September 28, 2025, to either opt in or opt out to continue using the service; it says it will enable the company to deliver "even more capable, useful AI models" and strengthen safeguards against harmful usage like scams and abuse. Plex Servers Susceptible to New Flaw — Plex has addressed a security vulnerability (CVE-2025-34158), stemming from incorrect resource transfer between spheres, affecting Plex Media Server versions 1.41.7.x to 1.42.0.x. It has been patched in versions 1.42.1.10060 or later. According to data from Censys, there are 428,083 devices exposing the Plex Media Server web interface, although not all of them are necessarily vulnerable. Fake Recipe and Guide Sites Drop Malware — Bogus sites masquerading as image, recipe, and educational guide finders have been found to harbor stealthy code to issue stealthy commands and drop malware on users' systems that can steal sensitive information. It’s assessed that these sites reach targets via malvertising campaigns.
|
|
|
|
|
|
|
Comments
Post a Comment
Please leave a comment about our recent post.